From 70e89d73d459d10a755554ecf4f112c48d39fafd Mon Sep 17 00:00:00 2001 From: hc-github-team-consul-core Date: Tue, 4 Jun 2024 14:38:33 -0700 Subject: [PATCH] Backport of docs: add a note for DNS resolver recommendations into release/1.18.x (#21256) * backport of commit deb3371f28ea81adcb8c626c9f929c340d1964cb * backport of commit 28315fda69c42bfe8c30acdac5a2a5357c26b222 * backport of commit 995e9a8e25e35a659357d6db95b9de14496df077 * backport of commit d27b6b6711316e5643198f20c4e49b0b49371c0d --------- Co-authored-by: dduzgun-security Co-authored-by: Deniz Onur Duzgun <59659739+dduzgun-security@users.noreply.github.com> --- website/content/docs/services/discovery/dns-configuration.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/website/content/docs/services/discovery/dns-configuration.mdx b/website/content/docs/services/discovery/dns-configuration.mdx index 3ce3205860..5e78494ce7 100644 --- a/website/content/docs/services/discovery/dns-configuration.mdx +++ b/website/content/docs/services/discovery/dns-configuration.mdx @@ -33,6 +33,8 @@ You can specify a list of addresses in the agent's [`recursors`](/consul/docs/ag Nodes that query records outside the `consul.` domain resolve to an upstream DNS. You can specify IP addresses or use `go-sockaddr` templates. Consul resolves IP addresses in the specified order and ignores duplicates. +We recommend that you configure DNS resolvers to point the `consul.` domain towards your Consul DNS servers. Misconfigurations may cause other DNS infrastructure to route queries for the `consul.` domain outside of your network instead, leaking DNS queries to root DNS servers. Refer to [Forward DNS for Consul Service Discovery](/consul/tutorials/networking/dns-forwarding) for instructions. + ### Enable non-Consul queries You enable non-Consul queries to be resolved by setting Consul as the DNS server for a node and providing a [`recursors`](/consul/docs/agent/config/config-files#recursors) configuration. @@ -66,4 +68,4 @@ Responses to pointer record (PTR) queries, such as `.in-addr.arpa.`, always ### Caching -By default, DNS results served by Consul are not cached. Refer to [DNS caching](/consul/docs/services/discovery/dns-cache) for instructions on how to enable caching. \ No newline at end of file +By default, DNS results served by Consul are not cached. Refer to [DNS caching](/consul/docs/services/discovery/dns-cache) for instructions on how to enable caching.