Boulder external DNS

pmcatominey · March 23, 2023, 12:33pm

Hi,

Configuring Boulder for use in our testing environment so we can have confidence before testing against the staging server in pre-production.

I'm having trouble getting Boulder to verify dns-01 challenge records, the deployment/production wiki page appears to be outdated. It mentions a dnsResolvers config option however this now appears to be dnsResolver pointed at service.consul for gRPC service discovery.

Changing this prevents Boulder from starting up properly, and configuring Consul to forward queries for external domains with the recursors option does not resolve the issue.

Is there an option I'm missing?

mcpherrinm · March 23, 2023, 2:16pm

The dnsResolver setting in the VA configuration should be pointed at a DNS server which can resolve the DNS-01 challenges. It appears the wiki page wasn't updated after Deprecate field DNSResolvers from VA Config · Issue #5505 · letsencrypt/boulder · GitHub

I'll ask somebody to update the docs. In the meantime you'll probably have to read the code to understand how DNS is set up.

The key insight is that we use DNS (ie, consul) to get SRV records for more DNS servers which do the actual lookups.

pmcatominey · March 23, 2023, 2:33pm

When I've tried this, the VA service fails to boot as it wants SRV records from the configured resolver:

[AUDIT] Couldn't start dynamic DNS server resolver: failed to start dynamic provider: failed to lookup SRV records for "1.1.1.1:53": lookup _dns._udp.1.1.1.1:53: no such host

mcpherrinm · March 23, 2023, 2:52pm

Yes, it's trying to use the configured internal DNS server to get a SRV record for our external DNS resolvers.

pmcatominey · March 23, 2023, 2:53pm

Thanks, I had interpreted the error as an attempt to pull SRV records for the other components in consul.

I'll setup SRV records for our resolvers then.

mcpherrinm · March 23, 2023, 2:58pm

For reference, here's what it looks like in a test environment I have:

dig +short SRV _dns._udp.resolver.service
10 100 5301 vm-dns01.
10 100 5301 vm-dns02.

vm-dns01 and vm-dns02 have an Unbound DNS server listening on port 5301 which can resolve toward the internet. Our unbound config looks something like https://unboundtest.com/conf

pmcatominey · March 24, 2023, 11:38am

Thank you, appreciate the help!

mcpherrinm · March 24, 2023, 2:41pm

And thank you for pointing out the documentation gap here!

Tepes · April 7, 2023, 1:06pm

@mcpherrinm
Hello,

we don't use Boulder in Production, but our test domains are not in private network.
What should we do if we need to resolve domains using External dns resolver?
I used "dnsResolvers" value ["8.8.8.8:53"] to resolve my domains in AWS and it worked fine. But now i'm little bit confused. Am i able to use Google DNS again as well?

i tried to add recursors = ["8.8.8.8"] to config.hlc but it didn't help.

orangepizza · April 10, 2023, 7:32am

as it posted upper thread it calls an internel dns _ and on that dns server set record on

_dns._udp.resolver.service

set real dns name to be called to used at actual lockup

Tepes · April 10, 2023, 8:50am

Many thanks to you, your message cleared my mind. I fixed consul's config and it works now.

Thank you one more time!

system · May 10, 2023, 8:51am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.