From deb3371f28ea81adcb8c626c9f929c340d1964cb Mon Sep 17 00:00:00 2001 From: dduzgun-security Date: Mon, 3 Jun 2024 14:27:18 -0400 Subject: [PATCH] add a warning to DNS resolver configurations --- .../content/docs/services/discovery/dns-configuration.mdx | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/website/content/docs/services/discovery/dns-configuration.mdx b/website/content/docs/services/discovery/dns-configuration.mdx index 3ce3205860..06c9e2895e 100644 --- a/website/content/docs/services/discovery/dns-configuration.mdx +++ b/website/content/docs/services/discovery/dns-configuration.mdx @@ -33,6 +33,9 @@ You can specify a list of addresses in the agent's [`recursors`](/consul/docs/ag Nodes that query records outside the `consul.` domain resolve to an upstream DNS. You can specify IP addresses or use `go-sockaddr` templates. Consul resolves IP addresses in the specified order and ignores duplicates. +> [!WARNING] +> We recommend configuring your DNS resolvers to point the `consul.` domain towards your Consul DNS server(s). Misconfigurations can result in queries for the `consul.` domain being routed outside of your network instead, leaking DNS queries to root DNS servers. + ### Enable non-Consul queries You enable non-Consul queries to be resolved by setting Consul as the DNS server for a node and providing a [`recursors`](/consul/docs/agent/config/config-files#recursors) configuration. @@ -66,4 +69,4 @@ Responses to pointer record (PTR) queries, such as `.in-addr.arpa.`, always ### Caching -By default, DNS results served by Consul are not cached. Refer to [DNS caching](/consul/docs/services/discovery/dns-cache) for instructions on how to enable caching. \ No newline at end of file +By default, DNS results served by Consul are not cached. Refer to [DNS caching](/consul/docs/services/discovery/dns-cache) for instructions on how to enable caching.