Fix Consul DNS Resolution Wrong

Introduction

Consul provides service discovery via DNS at port 8600. When DNS resolution returns wrong addresses or fails, services can't discover each other, causing connectivity failures and application errors.

Symptoms

Wrong IP returned:

```bash $ dig @localhost -p 8600 web.service.consul

;; ANSWER SECTION: web.service.consul. 0 IN A 10.0.0.5 # Wrong IP # Expected: 10.0.0.10 ```

No service found:

```bash $ dig @localhost -p 8600 api.service.consul

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN # Service should exist but returns NXDOMAIN ```

Stale DNS records:

```bash $ dig @localhost -p 8600 db.service.consul

;; ANSWER SECTION: db.service.consul. 0 IN A 10.0.0.20 # Old IP, service moved ```

Common Causes

1. 1.Stale service registration - Service deregistered but record cached
2. 2.Health check failing - Unhealthy services filtered out
3. 3.DNS TTL too high - Old records cached too long
4. 4.Service tags wrong - Querying wrong tag
5. 5.Node partitioned - Agent lost contact with cluster
6. 6.Multiple datacenters - Querying wrong datacenter
7. 7.DNS configuration - Stub resolver or forwarding issues

Step-by-Step Fix

Step 1: Check Service Registration

```bash # List all services consul catalog services

# Get service instances consul catalog nodes -service=web

# Query via API curl http://localhost:8500/v1/catalog/service/web

# Check specific service health curl http://localhost:8500/v1/health/service/web?passing

# Check service via DNS dig @localhost -p 8600 web.service.consul ```

Step 2: Check Service Health

```bash # List health checks consul checks

# Get failing checks consul checks -status=critical

# Check specific service health curl http://localhost:8500/v1/health/service/web

# Check node health consul members

# If service marked unhealthy, fix health check or use passing filter dig @localhost -p 8600 web.service.consul?passing ```

Step 3: Verify Service Tags

```bash # List services with tags consul catalog services -tags

# Query by tag dig @localhost -p 8600 web.prod.service.consul

# Via API with tag filter curl "http://localhost:8500/v1/catalog/service/web?tag=prod"

# Register service with correct tags consul services register -name=web -tag=prod -tag=v1 -address=10.0.0.10 -port=8080 ```

Step 4: Check DNS Configuration

```bash # Verify Consul DNS port netstat -tulpn | grep 8600

# Test Consul DNS directly dig @127.0.0.1 -p 8600 web.service.consul

# Check DNS recursion settings consul config read -kind=dns -name=default

# Check DNS configuration in agent curl http://localhost:8500/v1/agent/self | jq '.DebugConfig.DNS' ```

Step 5: Configure DNS TTL

```json // consul.dns.json { "recursors": ["8.8.8.8", "8.8.4.4"], "node_meta": {}, "service_ttl": { "*": "10s" }, "enableTruncate": true, "onlyPassing": true, "udp_answer_limit": 3 }

// Apply via agent config or API consul config write consul.dns.json ```

Step 6: Check Datacenter Configuration

```bash # List datacenters consul catalog datacenters

# Query specific datacenter dig @localhost -p 8600 web.service.dc2.consul

# Via API curl "http://localhost:8500/v1/catalog/service/web?dc=dc2"

# Check agent datacenter consul info | grep datacenter

# Configure multi-datacenter # In agent config: { "datacenter": "dc1", "retry_join": ["provider=aws tag_key=consul tag_value=server"] } ```

Step 7: Check Node Status

```bash # List all nodes consul members

# Check leader consul operator raft list-peers

# Check if node is partitioned consul operator autopilot get-config

# Check node health consul nodes -detailed

# If node partitioned, rejoin consul leave consul agent -config-dir=/etc/consul.d -join=10.0.0.1 ```

Step 8: Clear DNS Cache

```bash # Consul doesn't cache, but check system DNS cache # systemd-resolved: systemctl restart systemd-resolved

# dnsmasq: systemctl restart dnsmasq

# nscd: systemctl restart nscd

# Flush local DNS cache # macOS: sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder

# Linux with systemd: resolvectl flush-caches ```

Step 9: Configure Service Registration

```json // web-service.hcl service { name = "web" tags = ["prod", "v1"] port = 8080

check { id = "web-health" name = "HTTP Health Check" http = "http://localhost:8080/health" interval = "10s" timeout = "2s" deregister_critical_service_after = "30s" }

connect { sidecar_service {} } }

// Register service consul services register web-service.hcl ```

Step 10: Set Up DNS Forwarding

```bash # Configure system to use Consul DNS # Option 1: Use dnsmasq # /etc/dnsmasq.d/consul: server=/consul/127.0.0.1#8600 server=8.8.8.8

# Option 2: Use systemd-resolved # /etc/systemd/resolved.conf: [Resolve] DNS=127.0.0.1:8600 Domains=consul

# Option 3: Use Consul DNS directly # /etc/resolv.conf: nameserver 127.0.0.1 options ndots:2

# Test forwarding nslookup web.service.consul ```

Consul DNS Query Formats

Verification

```bash # After fixing DNS configuration # Query service via DNS dig @localhost -p 8600 web.service.consul

# Should return correct IPs

# Check service health consul catalog services

# Should show all services

# Verify DNS TTL dig @localhost -p 8600 web.service.consul +trace

# Check from application curl http://web.service.consul:8080/health

# Monitor DNS queries consul monitor -log-level=debug | grep dns ```

Prevention

To prevent Consul DNS resolution issues from recurring, implement these proactive measures:

1. Monitor Consul DNS Health

groups:
- name: consul-dns
  rules:
  - alert: ConsulDNSResolutionFailed
    expr: |
      consul_dns_query_failures > 0
    for: 2m
    labels:
      severity: warning
    annotations:
      summary: "Consul DNS resolution failures detected"

2. Configure Health Checks for Services

```hcl // service.hcl service { name = "web" port = 8080

check { id = "web-health" name = "HTTP Health Check" http = "http://localhost:8080/health" interval = "10s" timeout = "2s" deregister_critical_service_after = "30s" } }

// Unhealthy services are excluded from DNS ```

3. Set Up Consul DNS Forwarding

```bash # /etc/dnsmasq.d/consul server=/consul/127.0.0.1#8600 server=8.8.8.8

# Restart dnsmasq systemctl restart dnsmasq

# Test forwarding dig web.service.consul @localhost ```

Best Practices Checklist

• [ ] Monitor DNS query failures
• [ ] Configure health checks for services
• [ ] Set up DNS forwarding
• [ ] Configure appropriate TTL
• [ ] Monitor service health status
• [ ] Test DNS resolution regularly

Related Issues

• [Fix Consul Service Deregistration](/articles/fix-consul-service-deregistration)
• [Fix Consul Connect Sidecar Not Proxying](/articles/fix-consul-connect-sidecar-not-proxying)
• [Fix Consul DNS Stale Service Records](/articles/fix-consul-dns-stale-service-records)

Related Articles

• [Fix Debug Not Hitting Breakpoint Typescript Vscode Issue in Systems](debug-not-hitting-breakpoint-typescript-vscode)
• [Fix Docker Extension Container Empty Vscode Issue in Systems](docker-extension-container-empty-vscode)
• [Fix Extension Host Crashed Memory Limit Vscode Issue in Systems](extension-host-crashed-memory-limit-vscode)
• [Fix File Watcher Enospc Limit Linux Vscode Issue in Systems](file-watcher-enospc-limit-linux-vscode)
• [Fix Android Emulator Not Starting](fix-android-emulator-not-starting)

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix Consul DNS Resolution Wrong", "description": "Troubleshoot Consul DNS resolution issues. Check service registration, DNS configuration, and agent health.", "url": "https://www.fixwikihub.com/fix-consul-dns-resolution-wrong", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-04T00:52:14.348Z", "dateModified": "2026-04-04T00:52:14.348Z" } </script>