This is roughly how we've integrated consul dns at client sites. Bind config still needs updating if/when mesos dns relocates.
--sent from my phone On Apr 2, 2015 10:30 AM, "John Omernik" <[email protected]> wrote: > Based on my earlier emails about the state of service discovery. I did > some research and a little writeup on how to use mesos-dns as a forward > lookup zone in a enterprise bind installation. I feel this is more secure, > and more comfortable for an enterprise DNS team as opposed to changing the > first resolver on every client that may interact with mesos to be the > mesos-dns server. Please feel free to modify/correct and include this in > the mesos-dns documentation if you feel it's valuable. > > > Goals/Thought Process > - Run mesos-dns on a non-standard port. (such as 8053). This allows you > to run it as a non-root user. > - While most DNS clients may not understand this (a different port), in an > enterprise, most DNS servers will respect a forward lookup zone with a > server using a different port. > - Setup below for BIND9 allows you to keep all your mesos servers AND > clients in an enterprise pointing their requests at your enterprise DNS > server, rather than mesos-dns. > - This is easier from an enterprise configuration standpoint. Make one > change on your dns servers, rather than adding a resolver on all the > clients. > - This is more secure in that you can run mesos-dns as non-root (53 is a > privileged port, 8053 is not) no sudo required > - For more security, you can limit connections to the mesos-dns server > to only your enterprise dns servers. This could help mitigate any unknown > vulnerabilities in mesos-dns. > - This allows you to HA mesos-dns in that you can specify multiple > resolvers for your bind configuration. > > > > > Bind9 Config > This was put into my named.conf.local It sets up the .mesos zone and > forwards to mesos dns. All my mesos servers already pointed at this server, > therefore no client changes required. > > > #192.168.0.100 is my host running mesos DNS > zone "mesos" { > type forward; > forward only; > forwarders { 192.168.0.100 port 8053; }; > }; > > > > > config.json mesos-dns config file. > I DID specify my internal DNS server in the resolvers (192.168.0.10) > however, I am not sure if I need to do this. Since only requests for > .mesos will actually be sent to mesos-dns. > > { > "masters": ["192.168.0.98:5050"], > "refreshSeconds": 60, > "ttl": 60, > "domain": "mesos", > "port": 8053, > "resolvers": ["192.168.0.10"], > "timeout": 5, > "listener": "0.0.0.0", > "email": "root.mesos-dns.mesos" > } > > > marathon start json > Note the lack of sudo here. I also constrained it to one host for now, but > that could change if needed. > > { > "cmd": "/mapr/brewpot/mesos/mesos-dns/mesos-dns > -config=/mapr/brewpot/mesos/mesos-dns/config.json", > "cpus": 1.0, > "mem": 1024, > "id": "mesos-dns", > "instances": 1, > "constraints": [["hostname", "CLUSTER", "hadoopmapr1.brewingintel.com"]] > } >
