Skip to content

Consul and DNS


There is a lot here. I've done my best to make things correct, but I'm also still learning how a lot of nomad, consul, etc... work and their best practices. It's entirely possible I missed something or could have done something better.

In the last couple posts I described how to setup a small(ish) Hashi Nomad and Consul cluster. Using Consul for service discovery is something that took me a little while to figure out.

Lets start by spinning up the whoami job if you haven't already.

whoami job definition
job "whoami" {
  datacenters = ["dc1"]

  type = "service"

  group "demo" {
    count = 1

    network {
      port "http" {
        to = 80

    service {
      name = "whoami-demo"
      port = "http"
      provider = "consul"

    task "server" {
      resources {
        cpu    = 10
        memory = 10

      env {

      driver = "docker"

      config {
        image = "traefik/whoami"
        force_pull = true
        ports = ["http"]

The Problem

Normally nomad will spin up the job on a random node with a random port. You could then access the service by navigating to http://10.28.0..41:31106/. Well that url sucks... We want our users to be able to use something like

The high level overview is that Consul can respond to DNS requests on port 8600 by default. Lets keep using whoami as an example. We whoami-demo running on one of the nodes. You can point nslookup at one of your consul nodes, on port 8600, and it should respond with the A record of the host running the service.

nslookup -port=8600 whoami-demo.service.dc1.consul
# or
nslookup -port=8600 whoami-demo.service.consul
Non-authoritative answer:
Name:    whoami-demo.service.dc1.consul

DNS forwarding

The first step is to create a conditional forwarder in DNS your internal dns environment for the domain consul. That domain should forward dns requests to some of your consul servers.


The steps for setting up a conditional forwarder varies by DNS server. Personally I use Technitium DNS, but bind, or Windows Server DNS would work.

In my case I have it forwarding to:


You should now be able to resolve the service by dns name.

nslookup whoami-demo.service.dc1.consul
# or for a more generalize service address
nslookup whoami-demo.service.consul
Non-authoritative answer:
Name:    whoami-demo.service.dc1.consul

In we web browser you should also be able to go to http://whoami-demo.service.dc1.consul:31106. Sadly the URL still sucks.

CNAME for your Main Domain

We can make this a little better.

Create a CNAME record in your main zone ( for me) as follows. -> whoami-demo.service.dc1.consul

Now you should be able to access the web app at the following address

That address still sucks, but it's a little better.


This can be made better with Traefik. Traefik allows you to do SSL offload and acts as an ingress for web apps in the cluster.

I was planning to add the Traefik setup to this post as well, but it was getting a little long. I'll seperate out Traefik into it's own post.