Improvement idea for iptables DNS forwarding

[xlucas]

Hello,

Thank you for your work!

I was thinking about iptables DNS forwarding and I realized an improvement could be brought to it. I like to use iptables for this because it is a minimally invasive and yet simple solution.

For now, iptables rules in the consul documentation, implemented in this role, are not super useful because they require local applications to explicitly query the local consul DNS since anything running on the machine relies on resolv.conf and, most likely, it has already been set through DHCP with recursors put at disposal by your cloud provider.

It would be better with transparent forwarding while still using provided recursors. To do this, we simply need to populate consul recursors with the right value and make sure only DNS traffic that is not related to the consul user is redirected to consul.

The former is trivial since the variable is already here and we just need to set it to ansible_dns.nameservers in the playbook, the latter can be implemented by taking advantage of the iptables owner module, with something like this:

[...] -m owner ! --uid-owner consul --dport 53 -j REDIRECT --to-ports 8600

Did I miss something or it sounds like it could be of some use here ?

[brianshumate]

I think this would be a great change!