Once you have installed Cloud Resolver on the host machine, you must create the configuration file that contains information the type of information that is pulled from the cloud environment.
- Log in to the host instance using SSH.
- Navigate to the /etc/cloud-resolver/ directory.
- Create a new file called cloud-resolver.conf.
- Edit the cloud-resolver.conf configuration file and add the necessary values listed in Configuration parameters.
- Once you have added the necessary configuration parameters to the configuration
file, restart Cloud Resolver using the following
command:
sudo systemctl restart cloud-resolver.service
Configuration parameters
Parameter | Description | Default value | Required/Optional | AWS-only / Azure-only / GCP-only / Common |
---|---|---|---|---|
CRS_IAM_ROLE
|
The IAM role to assume. Note: This is only required for STS
authentication.
|
None | Optional | AWS-only |
CRS_EXTERNAL_ID
|
The role external_id to use for assuming the
CRS_IAM_ROLE .Note: This is only required for
STS authentication.
|
None | Optional | AWS-only |
AWS_REGION |
The AWS region for which Cloud Resolver retrieves DNS zone
information. Attention: This parameter is required
when Cloud Resolver is deployed in AWS.
|
None | Required | AWS-only |
CRS_ADDITIONAL_REGIONS |
The additional AWS regions to discover in for the primary and any additional accounts. | None | Optional | AWS-only |
CRS_VPC_ID |
The VPC ID of Cloud Resolver. Attention: This
parameter is required when Cloud Resolver is deployed in
AWS.
|
None | Required | AWS-only |
AWS_CONFIG_FILE |
The location of the AWS configuration file. If this value is not configured, it defaults to the known locations in AWS. | None | Optional | AWS-only |
AWS_PROFILE |
The AWS Profile name. | None | Optional | AWS-only |
AZURE_REGION |
The Azure region for which Cloud Resolver retrieves DNS zone
information. Attention: This
parameter is only required when Cloud Resolver is deployed
on-premises. If you configure this parameter when Cloud Resolver
is deployed in Azure, this parameter prevents Cloud Resolver
from discovering local tenants.
|
None | Optional | Azure-only |
CRS_PERMITS |
The maximum concurrent REST API calls that can be made to the
cloud service provider. The value can be between 1 and 1000. Note:
|
None | Optional | Azure-only |
GCP_PROJECT_ID |
The ID of the project in GPC where Cloud Resolver is
deployed. Attention: This parameter is required when
Cloud Resolver is deployed in GCP.
|
None | Required | GCP-only |
GCP_NETWORK_ID |
The ID of the GCP network where Cloud Resolver is deployed. Attention: This parameter is required when Cloud Resolver
is deployed in GCP.
|
None | Required | GCP-only |
GCP_NETWORK_NAME |
The name of the GCP network where Cloud Resolver is
deployed. Attention: This parameter is required when
Cloud Resolver is deployed in GCP.
|
None | Required | GCP-only |
CRS_REMOTE_TENANTS |
A JSON list of additional Azure tenants or AWS accounts for
discovery and resolution. Azure Cloud Resolver uses the OAuth 2.0 client credentials flow to authenticate as a Service Principal in remote tenants with a client secret. The client secret should be stored in either an Azure Vault Secret or HashiCorp Vault. The client secret can also be passed as an environment variable; however, BlueCat recommends using a vault to store in the client secret in production environments. The list must be in the following format:
Note:
AWS The primary account for Cloud Resolver must have permissions for STS AssumeRole for the remote role. This will only discover the current region in the remote account.The list must be in the following
format:
GCP The primary account for Cloud Resolver must authenticate using a local service account key file or be able to fetch the service account key file from Secret Manager.The list must be in the following
format:
Where:
|
None | Optional | Common |
CRS_NAME |
The name that you would like to give to the Cloud Resolver instance in the Edge UI. If a name is not defined, the Cloud Resolver instance ID is used as the name. | <Cloud Resolver instance ID> |
Optional | Common |
CRS_CLOUD_PROVIDER |
The cloud environment that Cloud Resolver from which DNS information is retrieved. The value can be aws, azure, or gcp. | None | Required | Common |
CRS_EDGE_API_KEY |
The API key of the Edge user that Cloud Resolver will use to add new DNS zones to the domain list. | None | Required | Common |
CRS_EDGE_SECRET_KEY |
The API secret key of the Edge user that Cloud Resolver will use to add new DNS zones to the domain list. | None | Required | Common |
CRS_EDGE_SECRETS_ID |
The base URL to the Vault where the Edge API key and Edge Secret
key are stored. Note: When storing the Edge API key and Edge Secret
key to a vault, the Edge API key must be named
CRS-EDGE-API-KEY and the Edge Secret key
must be named CRS-EDGE-SECRET-KEY .
|
None | Optional | Common |
CRS_EDGE_CI_URL |
The API URL of the Edge Cloud Instance that Cloud Resolver will write data to. For example: http://api-<Edge_URL>.bluec.at | None | Required | Common |
CRS_EDGE_NAMESPACE_ID |
The ID of the Edge Namespace. | None | Required | Common |
CRS_EDGE_DOMAINLIST_ID |
The ID of the Edge Domain List where the Cloud Resolver will add new DNS zones. | None | Required | Common |
CRS_DNS_LISTEN_ON |
Defines the sock address that will be used to listen for DNS messages on UDP and TCP. | 127.0.0.1:5003 |
Optional | Common |
CRS_CONFIGURATION_ZONE |
The private DNS zone that provides Cloud Resolver with access to
remote resolvers. For more information, refer to Remote resolvers. If you do
not want to configure remote resolvers, leave the value as the
default |
cloudresolver.config. |
Optional | Common |
CRS_POLLING_INTERVAL |
The interval between the polling of the Cloud Service Provider API, in seconds. | 60 |
Optional | Common |
CRS_LIVENESS_PORT |
The port that will be used for simple TCP checks to determine whether the service has started to run and is initializing. | 8080 |
Optional | Common |
CRS_READINESS_PORT |
The port that will be used to determine whether Cloud Resolver has started successfully and is ready for traffic. | 8090 |
Optional | Common |
CRS_DIAGNOSTICS_PORT |
The port that will be used to access the Cloud Resolver web delivered diagnostics. | 9000 |
Optional | Common |
CRS_PROMETHEUS_PORT |
The port that will be used to pull data to Prometheus. | 9090 |
Optional | Common |
CRS_PROMETHEUS_PROTOBUF |
The format of the Prometheus data. Set to true
for protobuf and set to false for text. |
false |
Optional | Common |
CRS_MAX_IN_FLIGHT_UDP |
The maximum number of in-flight UDP queries before a SERVFAIL is returned for overage. | 500 |
Optional | Common |
CRS_MAX_IN_FLIGHT_TCP |
The maximum number of in-flight TCP queries before a SERVFAIL is returned for overage. | 500 |
Optional | Common |
CRS_IN_FLIGHT_CACHE_SIZE
|
The maximum TTL cache size. You can configure this value to protect against DoS attacks. | 2500 |
Optional | Common |
CRS_LOG
|
The logging level for Cloud Resolver. | cloud_resolver=info |
Optional | Common |
CRS_SNAPSHOT_PATH
|
The directory path where Cloud Resolver snapshots are
stored. If you set the
CRS_SNAPSHOT_TYPE
parameter to csp, the snapshot is written to a cloud
storage provider. You must set the
CRS_SNAPSHOT_PATH parameter to the full
file path of the snapshot in the Azure Blob storage or AWS S3
bucket.
Note: If you are configuring the Cloud Resolver instance as
part of a cluster by setting the
CRS_ROLE
to resolver, you must enter the full file path of the
snapshot in the Azure Blob storage or AWS S3 bucket where
the snapshots will be read, or mount a shared volume to each
Cloud Resolver instance and use the file path.If you set the
|
/var/lib/bluecat |
Optional | Common |
CRS_SNAPSHOT_NAME |
The name of the Cloud Resolver snapshot file. When the Cloud
Resolver role is full, this indicates the name of the
snapshot file that's written. When the Cloud Resolver role is
resolver, this indicates the name of the snapshot file
that is read. Attention: BlueCat does not recommend
changing the snapshot name unless you are using the Azure blob
or S3 bucket for additional data sets.
|
cloud_resolver.dmp |
Optional | Common |
CRS_SNAPSHOT_AUTOLOAD
|
Determines whether the latest snapshot is automatically loaded
when starting Cloud Resolver. Set to true to
automatically load the latest Cloud Resolver snapshot upon start or
set to false to not load the latest Cloud Resolver
snapshot upon start. |
false |
Optional | Common |
CRS_SNAPSHOT_AUTOGENERATE |
Determines whether a snapshot is automatically updated when Cloud
Resolver discovers new resources from the cloud environment. Set to
true to automatically update the snapshot file
upon discovery of new resources or set of false if
you do not want to update the snapshot file when new resources are
discovered. |
true |
Optional | Common |
CRS_SNAPSHOT_TYPE |
The type of snapshot that Cloud Resolver creates. The value can
be file to write the snapshot a local file within the
directory defined in CRS_SNAPSHOT_PATH or
csp to write the file to an Azure Blob Storage or AWS S3
bucket location. |
file |
Optional | Common |
CRS_PROXY_ADDR
|
The URL and port of the proxy server. For example,
https://example.prox:4545 Note: This is only
required if you are using a proxy server.
|
None | Optional | Common |
CRS_ROLE |
The role that the Cloud Resolver instance assumes. The value can
be full to indicate that the Cloud Resolver instance is
standalone or resolver to indicate that the Cloud Resolver
instance is part of a cluster. If you configure the
|
full |
Optional | Common |
CRS_PROXY_USER
|
The username used to authenticate with the proxy server when
using basic_auth . This parameter is only required
if you are using a proxy server.Note: If you configure proxy
credentials within the
cloud-resolver.conf file
and also configure proxy credentials to be retrieved from a
remote secrets vault, Cloud Resolver uses the local proxy
credentials entered within the
cloud-resolver.conf file. |
None | Optional | Common |
CRS_PROXY_PASS
|
The password used to authenticate with the proxy server when
using basic_auth . This parameter is only required
if you are using a proxy server.Note: If you configure proxy
credentials within the
cloud-resolver.conf file
and also configure proxy credentials to be retrieved from a
remote secrets vault, Cloud Resolver uses the local proxy
credentials entered within the
cloud-resolver.conf file. |
None | Optional | Common |
CRS_PROXY_SKIP
|
The list of domains, networks, and IP addresses to bypass the proxy. This parameter is only required if you are using a proxy server. | None | Optional | Common |
CRS_VAULT_TYPE
|
The vaults used to store the secret keys for Edge, proxy
configurations, and cloud service provider (CSP) Remote Tenant. The
valid values are csp and
hcv_approle . |
None | Optional | Common |
CRS_HCV_BASE_URL
|
The base URL of HashiCorp Vault Service. Note: This is only
required if you set
CRS_VAULT_TYPE=
"hcv_approle" . |
None | Optional | Common |
CRS_HCV_LOGIN_PATH
|
The URL path to append to the base URL for login. Note: This is
only required if you set
CRS_VAULT_TYPE=
"hcv_approle" . |
None | Optional | Common |
CRS_HCV_SECRET_PATH
|
The URL path to append to the base URL secret store. Note: This is
only required if you set
CRS_VAULT_TYPE=
"hcv_approle" . |
None | Optional | Common |
CRS_HCV_ROLE_ID
|
The Role ID generated from HashiCorp Vault Service. Note: This is
only required if you set
CRS_VAULT_TYPE=
"hcv_approle" . |
None | Optional | Common |
CRS_HCV_SECRET_ID
|
The Secret ID generated from HashiCorp Vault Service. Note: This
is only required if you set
CRS_VAULT_TYPE=
"hcv_approle" . |
None | Optional | Common |
CRS_HCV_NAMESPACE
|
The vault namespace. Note: This is only required if you set
CRS_VAULT_TYPE= "hcv_approle" and if you
use vault namespaces. |
None | Optional | Common |
CRS_VAULT_PROXY_USER_PATH
|
The secret path to the proxy user if credentials are stored in a
secrets vault. This parameter is only required if you are using a
proxy server. For more information on storing proxy credentials in a secrets vault, refer to Storing proxy credentials remotely. Note: If
you configure proxy credentials within the
cloud-resolver.conf file and also configure
proxy credentials to be retrieved from a remote secrets vault,
Cloud Resolver uses the local proxy credentials entered within
the cloud-resolver.conf file. |
None | Optional | Common |
CRS_VAULT_PROXY_PASS_PATH
|
The secret path to the proxy password if credentials are stored
in a secrets vault. This parameter is only required if you are using
a proxy server. For more information on storing proxy credentials in a secrets vault, refer to Storing proxy credentials remotely. Note: If
you configure proxy credentials within the
cloud-resolver.conf file and also configure
proxy credentials to be retrieved from a remote secrets vault,
Cloud Resolver uses the local proxy credentials entered within
the cloud-resolver.conf file. |
None | Optional | Common |
CRS_VAULT_PROXY_USER_KEY
|
The key of the proxy user if credentials are stored in a secrets
vault. This parameter is only required if you are using a proxy
server. For more information on storing proxy credentials in a secrets vault, refer to Storing proxy credentials remotely. Note: If
you configure proxy credentials within the
cloud-resolver.conf file and also configure
proxy credentials to be retrieved from a remote secrets vault,
Cloud Resolver uses the local proxy credentials entered within
the cloud-resolver.conf file. |
None | Optional | Common |
CRS_VAULT_PROXY_PASS_KEY
|
The key of the proxy password if credentials are stored in a
secrets vault. This parameter is only required if you are using a
proxy server. For more information on storing proxy credentials in a secrets vault, refer to Storing proxy credentials remotely. Note: If
you configure proxy credentials within the
cloud-resolver.conf file and also configure
proxy credentials to be retrieved from a remote secrets vault,
Cloud Resolver uses the local proxy credentials entered within
the cloud-resolver.conf file. |
None | Optional | Common |
CRS_FALLBACK_RESOLVER
|
A comma delimited list of IP addresses of fallback resolvers. | None | Optional | Common |
CRS_SKIP_FALLBACK_NETWORKS
|
A comma delimited list of CIDR notation networks that should not be forwarded to fallback resolvers. | None | Optional | Common |
CRS_ALLOW_FALLBACK_NETWORKS |
A comma delimited list of IP addresses in CIDR notation that can
forward to a fallback resolver, regardless of whether the IP
addresses are in the discovered cloud networks. If the source IP
address is part of any network listed in the
CRS_SKIP_FALLBACK_NETWORKS list, it will not be
allowed to query fallback resolvers. |
None | Optional | Common |
CRS_GENERATE_REVERSE
|
Defines whether to automatically generate reverse zones for cloud
discovered network space. Set to true to
automatically generate reverse zones or set to
false to ensure that reverse zones are not
automatically generated. |
false |
Optional | Common |
CRS_SEARCH_DOMAINS
|
A JSON string that contains a map of source networks in which to search for a domain suffix for single label queries. | [] |
Optional | Common |
CRS_AUTHORITY |
Indicates whether Cloud Resolver acts as the authority over DNS
zones discovered in cloud environments. Enabling Cloud Resolver authority allows Cloud Resolver to provide answers, rather than sending a real query to the cloud provider at the time of resolution. |
false |
Optional | Common |
CRS_AUTH_ZONE_NAME |
The Cloud Resolver authority zone name. | cloud.resolver |
Optional | Common |
CRS_AUTH_NEG_TTL |
The negative cache TTL for the Cloud Resolver dynamically created
zones, and cloud DNS zones if CRS_AUTHORITY is
true. |
10 |
Optional | Common |
CRS_AUTH_NS_HOST_RECORDS |
A JSON string containing names and IP addresses of name servers,
such as other Cloud Resolver instances. For
example:
Note: This
is only required if you set
CRS_AUTHORITY to
true. |
None | Optional | Common |
CRS_HTTP_11 |
Indicates whether to force HTTP/1.1 for all REST API calls. Set
the value to true if the proxy or other upstream
services cause HTTP/2 errors. |
false | Optional | Common |
Example AWS configuration file
cloud-resolver.conf
file that connects
to an AWS
environment:CRS_DNS_LISTEN_ON=0.0.0.0:53
CRS_CLOUD_PROVIDER=aws
CRS_CONFIGURATION_ZONE=cloudresolver.config.
CRS_EDGE_API_KEY="<edge_api_key>"
CRS_EDGE_SECRET_KEY="<edge_secret_key>"
CRS_EDGE_CI_URL="https://api-example.bluec.at"
CRS_EDGE_NAMESPACE_ID="ddccbbaa-0954-4823-ab09-848fc2a2d847"
CRS_EDGE_DOMAINLIST_ID="aabbccdd-1234-5678-90ab-416bb4b1c684"
CRS_SNAPSHOT_TYPE=file
CRS_SNAPSHOT_AUTOLOAD=true
AWS_REGION="us-east-2"
CRS_VPC_ID="vpc-987f65fc"
AWS_PROFILE="cloudresolver"
CRS_SEARCH_DOMAINS='[ {"subnet": "172.16.6.0/24", "suffix": "subnet1.demo.zone"},
{"subnet": "172.16.7.0/24", "suffix": "subnet2.demo.zone"}]'
Example Azure configuration file
cloud-resolver.conf
file of a Cloud
Resolver instance in the resolver role that reads snapshots from an Azure Blob
storage:CRS_DNS_LISTEN_ON=0.0.0.0:53
CRS_CLOUD_PROVIDER=azure
CRS_NAME="Azure Cloud Resolver"
CRS_CONFIGURATION_ZONE=cloudresolver.config.
CRS_EDGE_API_KEY="<edge_api_key>"
CRS_EDGE_SECRET_KEY="<edge_secret_key>"
CRS_EDGE_CI_URL="https://api-example.bluec.at"
CRS_EDGE_NAMESPACE_ID="ddccbbaa-0954-4823-ab09-848fc2a2d847"
CRS_EDGE_DOMAINLIST_ID="aabbccdd-1234-5678-90ab-416bb4b1c684"
CRS_SNAPSHOT_TYPE=csp
CRS_SNAPSHOT_AUTOLOAD=true
CRS_SNAPSHOT_PATH="https://test.blob.core.windows.net/snapshot"
CRS_ROLE=resolver
CRS_REMOTE_TENANTS='[{"tenant_id": "abcdef01-ab12-34cd-5678-bda0b9876e6f", "client_id": "fedcba98-fe87-65dc-b432-ceb1c5432f2a",
"client_secret_url": "CRS-123456ab7890", "azure_cloud": "AzureCloud"}]'
Example GCP configuration file
cloud-resolver.conf
file that connects
to a GCP
environment:CRS_DNS_LISTEN_ON=0.0.0.0:53
CRS_FALLBACK_RESOLVER=8.8.8.8:53
CRS_CLOUD_PROVIDER=gcp
CRS_CONFIGURATION_ZONE=cloudresolver.config.
CRS_EDGE_API_KEY="<edge_api_key>"
CRS_EDGE_SECRET_KEY="<edge_secret_key>"
CRS_EDGE_CI_URL="https://api-example.bluec.at"
CRS_EDGE_NAMESPACE_ID="ddccbbaa-0954-4823-ab09-848fc2a2d847"
CRS_EDGE_DOMAINLIST_ID="aabbccdd-1234-5678-90ab-416bb4b1c684"
CRS_SNAPSHOT_AUTOLOAD=true
CRS_VAULT_TYPE=csp
GCP_PROJECT_ID=test-gcp-env
GCP_NETWORK_ID=projects/test-gcp-env/gloval/networks/test-gcp-env-vpc
GCP_NETWORK_NAME=test-gcp-env-vpc
CRS_REMOTE_TENANTS='[{"project_id": "test-gcp-env",
"auth_path": {"secret_manager_path": "projects/123456789012/secrets/SERVICE_ACCOUNT_FILE"}}]'