search

hashicorp / consul

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
https://www.consul.io
Other
28.4k stars 4.43k forks source link

Need to support skipping dns request when acl enabled #10896

Closed Hjemsokt closed 3 years ago

Hjemsokt commented 3 years ago

Feature Description

Support dns request and acl at the same time

Use Case(s)

Nessus report : A remote, unauthenticated attacker may able to access Consul Web UI and API to gather data, register services and gain remote access. We can add acls to avioid this problem, but we still need dns request at the same time,could it be supported at the same time

jkirschner-hashicorp commented 3 years ago

Hi @Hjemsokt,

Q: What pages in our documentation did you look for information on whether (and how) this was possible (DNS with ACL)? Perhaps there's an opportunity to improve our documentation in this area.

I actually have a pull request open that attempts to clarify how to use DNS with ACLs. Please take a look and let me know if there's anything that still seems missing or confusing.

In summary, when a DNS request is made to a Consul agent, the agent will use a previously configured token with the request (since there is no means for the initial DNS request to specify a token):

Hjemsokt commented 3 years ago

Thank you ver much, I found a way to solve this problem. Old arch is muti servers, now, one agent added to each machine with default token, not forward it's http ports, and servers still open it's http port. Thus dns can direct visit clients ,andothers can visit server with acls.