I wonder if you registered mesos-dns's port in marathon like you do docker containers, if you could use the marathon-ha-proxy bridge in conjunction to allow it to show up anywhere...
On Thu, Apr 2, 2015 at 11:08 AM, James DeFelice <james.defel...@gmail.com> wrote: > This is roughly how we've integrated consul dns at client sites. Bind config > still needs updating if/when mesos dns relocates. > > --sent from my phone > > On Apr 2, 2015 10:30 AM, "John Omernik" <j...@omernik.com> wrote: >> >> Based on my earlier emails about the state of service discovery. I did >> some research and a little writeup on how to use mesos-dns as a forward >> lookup zone in a enterprise bind installation. I feel this is more secure, >> and more comfortable for an enterprise DNS team as opposed to changing the >> first resolver on every client that may interact with mesos to be the >> mesos-dns server. Please feel free to modify/correct and include this in >> the mesos-dns documentation if you feel it's valuable. >> >> >> Goals/Thought Process >> - Run mesos-dns on a non-standard port. (such as 8053). This allows you >> to run it as a non-root user. >> - While most DNS clients may not understand this (a different port), in an >> enterprise, most DNS servers will respect a forward lookup zone with a >> server using a different port. >> - Setup below for BIND9 allows you to keep all your mesos servers AND >> clients in an enterprise pointing their requests at your enterprise DNS >> server, rather than mesos-dns. >> - This is easier from an enterprise configuration standpoint. Make one >> change on your dns servers, rather than adding a resolver on all the >> clients. >> - This is more secure in that you can run mesos-dns as non-root (53 is a >> privileged port, 8053 is not) no sudo required >> - For more security, you can limit connections to the mesos-dns server >> to only your enterprise dns servers. This could help mitigate any unknown >> vulnerabilities in mesos-dns. >> - This allows you to HA mesos-dns in that you can specify multiple >> resolvers for your bind configuration. >> >> >> >> >> Bind9 Config >> This was put into my named.conf.local It sets up the .mesos zone and >> forwards to mesos dns. All my mesos servers already pointed at this server, >> therefore no client changes required. >> >> >> #192.168.0.100 is my host running mesos DNS >> zone "mesos" { >> type forward; >> forward only; >> forwarders { 192.168.0.100 port 8053; }; >> }; >> >> >> >> >> config.json mesos-dns config file. >> I DID specify my internal DNS server in the resolvers (192.168.0.10) >> however, I am not sure if I need to do this. Since only requests for .mesos >> will actually be sent to mesos-dns. >> >> { >> "masters": ["192.168.0.98:5050"], >> "refreshSeconds": 60, >> "ttl": 60, >> "domain": "mesos", >> "port": 8053, >> "resolvers": ["192.168.0.10"], >> "timeout": 5, >> "listener": "0.0.0.0", >> "email": "root.mesos-dns.mesos" >> } >> >> >> marathon start json >> Note the lack of sudo here. I also constrained it to one host for now, but >> that could change if needed. >> >> { >> "cmd": "/mapr/brewpot/mesos/mesos-dns/mesos-dns >> -config=/mapr/brewpot/mesos/mesos-dns/config.json", >> "cpus": 1.0, >> "mem": 1024, >> "id": "mesos-dns", >> "instances": 1, >> "constraints": [["hostname", "CLUSTER", "hadoopmapr1.brewingintel.com"]] >> }