Learn how to configure different DNS servers to perform DNS forwarding to Consul servers.
---
# Enable DNS forwarding
This page describes the process to enable DNS forwarding to Consul servers.
You can apply these operations on every node where a Consul agent is running.
## Requirements
To enable DNS forwarding, your deployment must have the following:
- A running Consul server instance
- One or more Consul client nodes with registered services in the Consul catalog
- The `iptables` command available, or one of the following local DNS servers:
- [systemd-resolved](#systemd-resolved)
- [BIND](#bind)
- [Dnsmasq](#dnsmasq)
- [Unbound](#unbound)
- [macOS system resolver](#macos)
### Network address configuration
The example configurations on this page assumes Consul's DNS server is listening on the loopback interface on the same node of the local DNS server.
If Consul is not listening on the loopback IP, replace the references to `localhost` and `120.0.0.1` in the configuration and commands with the appropriate IP address for your environment.
## systemd-resolved
[`systemd-resolved`](https://www.freedesktop.org/software/systemd/man/latest/systemd-resolved.service.html) is a system service that provides network name resolution to local applications. It is the default local DNS server for many Linux distributions.
To configure the `systemd-resolved` service so that it sends `.consul` domain queries to Consul, create a `consul.conf` file located in the `/etc/systemd/resolved.conf.d/` directory.
<Tabs>
<Tab heading="systemd 245 and older">
Add a `[Resolve]` section to your resolved configuration.
When using systemd 245 and older, you cannot specify port numbers in the `DNS` configuration field. systemd-resolved only uses port `53`, which is a privileged port.
When you cannot specify ports for the system's configuration, there are two workarounds:
- [Configure Consul DNS service to listen on port `53`](/consul/docs/agent/config/config-files#dns_port) instead of `8600`.
- Map port `53` to `8600` using `iptables`.
Binding to port `53` usually requires running Consul as a privileged user or running Linux with the `CAP_NET_BIND_SERVICE` capability.
When using the Consul Docker image, add the following to the environment to allow Consul to use the port: `CONSUL_ALLOW_PRIVILEGED_PORTS=yes`.
To avoid running Consul as a privileged user, the following `iptables` commands are sufficient to map port `53` to `8600` and redirect DNS queries to Consul.
Confirm that the IP address for `systemd-resolved`'s stub resolver is the configured `nameserver`.
<CodeBlockConfig>
```shell-session
$ cat /etc/resolv.conf
## This file is managed by man:systemd-resolved(8). Do not edit.
##
## This is a dynamic resolv.conf file for connecting local clients to the
## internal DNS stub resolver of systemd-resolved. This file lists all
## configured search domains.
##
## Run "resolvectl status" to see details about the uplink DNS servers
## currently in use.
##
## Third party programs must not access this file directly, but only through the
## symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
## replace this symlink by a static file or a different symlink.
##
## See man:systemd-resolved.service(8) for details about the supported modes of
## operation for /etc/resolv.conf.
nameserver 127.0.0.53
options edns0
```
</CodeBlockConfig>
Ensure that the operating system can resolve DNS queries to the `.consul` domain.
```shell-session
$ host consul.service.consul
consul.service.consul has address 127.0.0.1
```
### Using any local resolver with systemd
By default, the local resolver stub in the `resolved.conf` file is configured to listen for UDP and TCP requests at `127.0.0.53:53`. However, you can set the `DNSStubListener` option to `false` so that your system can use any DNS configuration, as long as it loads earlier than `resolved`.
Use [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) if you have a small network and need a lightweight DNS solution.
<Note>
If your distribution uses systemd, disable `systemd-resolved` before you follow these steps.
</Note>
Configure the `dnsmasq.conf` file or a series of files in the `/etc/dnsmasq.d` directory. Add server settings to your configuration file so that requests for the `consul` domain are forwarded to Consul DNS.
# Uncomment and modify as appropriate to enable reverse DNS lookups for
# common netblocks found in RFC 1918, 5735, and 6598:
#rev-server=0.0.0.0/8,127.0.0.1#8600
#rev-server=10.0.0.0/8,127.0.0.1#8600
#rev-server=100.64.0.0/10,127.0.0.1#8600
#rev-server=127.0.0.1/8,127.0.0.1#8600
#rev-server=169.254.0.0/16,127.0.0.1#8600
#rev-server=172.16.0.0/12,127.0.0.1#8600
#rev-server=192.168.0.0/16,127.0.0.1#8600
#rev-server=224.0.0.0/4,127.0.0.1#8600
#rev-server=240.0.0.0/4,127.0.0.1#8600
# Accept DNS queries only from hosts whose address is on a local subnet.
#local-service
# Don't poll /etc/resolv.conf for changes.
#no-poll
# Don't read /etc/resolv.conf. Get upstream servers only from the command
# line or the dnsmasq configuration file (see the "server" directive below).
#no-resolv
# Specify IP address(es) of other DNS servers for queries not handled
# directly by consul. There is normally one 'server' entry set for every
# 'nameserver' parameter found in '/etc/resolv.conf'. See dnsmasq(8)'s
# 'server' configuration option for details.
#server=1.2.3.4
#server=208.67.222.222
#server=8.8.8.8
# Set the size of dnsmasq's cache. The default is 150 names. Setting the
# cache size to zero disables caching.
#cache-size=65536
```
</CodeBlockConfig>
Restart the `dnsmasq` service after creating the configuration.
Refer to [`dnsmasq(8)`](http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) for additional configuration settings such as specifying IP addresses for queries not handled directly by Consul.
## BIND
[BIND](https://www.isc.org/bind/) is a robust DNS system. Its most prominent component, `named`, performs both of the main DNS server roles, acts as an authoritative name server for DNS zones, and is a recursive resolver in the network.
<Note>
If your distribution uses systemd, disable `systemd-resolved` before you follow these steps.
</Note>
To configure the BIND service to send `.consul` domain queries to Consul:
1. Create a `named` configuration file with `DNSSEC` disabled.
1. Create a zone configuration file to manage the `.consul` domain.
### Named configuration file
Edit the `/etc/named.conf` to configure your BIND instance. Remember to disable `DNSSEC` so that Consul and BIND can communicate. Add an `include` section to include the zone file that you create in the next step.
The following example shows a BIND configuration with `DNSSEC` disabled.
[iptables](https://www.netfilter.org/projects/iptables/index.html) is a generic firewalling software that allows you to define traffic rules for your system.
If you do not have a local DNS server on the Consul agent node, use `iptables` to forward DNS requests on port `53` to the Consul agent running on the same machine without using a secondary service.
This configuration realizes full DNS forwarding, which means that all DNS queries for the host are forwarded to Consul, not just the ones for the `.consul` top level domain. Consul's default configuration resolves only the `.consul` top level domain, so you must set the [`recursors`](/consul/docs/agent/config/config-files#recursors) flag if you want your node to be able to resolve other domains when using `iptables` configuration.
If you use DNS relay hosts in your network, do not place them on the same host as Consul. The redirects may intercept the traffic.
On macOS systems, use the macOS system resolver to point all `.consul` requests to Consul.
The `man 5 resolver` command describes this feature in more detail.
The following instructions require `sudo` or root access.
To configure the macOS system resolver to forward DNS queries to Consul, add a resolver entry in the `/etc/resolver/` directory that points at the Consul agent.
If you do not have this folder, create it.
```shell-session
# mkdir -p /etc/resolver
```
Create a new file `/etc/resolver/consul` with `nameserver` and `port` entries.
<CodeBlockConfig filename="/etc/resolver/consul">
```plaintext
nameserver 127.0.0.1
port 8600
```
</CodeBlockConfig>
The configuration informs the macOS resolver daemon to forward all `.consul` TLD requests to `127.0.0.1` on port `8600`.
## Next steps
This instructions on this page helped you configure your node to forward DNS requests to Consul.
To learn more on how to query Consul DNS once forwarding is enabled, refer to [DNS forwarding workflow](/consul/docs/services/discovery/dns-forwarding#workflow).
For more information on other DNS features and configurations available in Consul, refer to [DNS usage overview](/consul/docs/services/discovery/dns-overview).