add a warning to DNS resolver configurations

pull/21250/head
dduzgun-security 6 months ago
parent 544ce7b9d4
commit deb3371f28
No known key found for this signature in database
GPG Key ID: 6C3D93CAE50C7EC9

@ -33,6 +33,9 @@ You can specify a list of addresses in the agent's [`recursors`](/consul/docs/ag
Nodes that query records outside the `consul.` domain resolve to an upstream DNS. You can specify IP addresses or use `go-sockaddr` templates. Consul resolves IP addresses in the specified order and ignores duplicates.
> [!WARNING]
> We recommend configuring your DNS resolvers to point the `consul.` domain towards your Consul DNS server(s). Misconfigurations can result in queries for the `consul.` domain being routed outside of your network instead, leaking DNS queries to root DNS servers.
### Enable non-Consul queries
You enable non-Consul queries to be resolved by setting Consul as the DNS server for a node and providing a [`recursors`](/consul/docs/agent/config/config-files#recursors) configuration.
@ -66,4 +69,4 @@ Responses to pointer record (PTR) queries, such as `<ip>.in-addr.arpa.`, always
### Caching
By default, DNS results served by Consul are not cached. Refer to [DNS caching](/consul/docs/services/discovery/dns-cache) for instructions on how to enable caching.
By default, DNS results served by Consul are not cached. Refer to [DNS caching](/consul/docs/services/discovery/dns-cache) for instructions on how to enable caching.

Loading…
Cancel
Save