Gone are the days when we had to deal with custom DNS resolvers and use only Oracle provided DNS servers for our private domains! Oracle recently announced Private DNS as a new feature for Oracle Cloud Infrastructure (OCI) that allows hostname resolution not only within your VCN but also across VCNs and between your VCN and on-premise or other private networks.
In this blog, we will cover an overview of OCI DNS service and Private DNS. We will go deeper on the Private Views, Private Zones, Hybrid DNS, and Conditional forwarding, and finally, in the end, I will cover how to set up a Private DNS Zone in your tenancy.
- What’s New?
- DNS Service in OCI
- Private DNS Overview
- Use cases for Private DNS
- Private DNS Zones
- Hybrid DNS & Conditional Forwarding
- Private DNS in Cloud Console
What’s New?
Each VCN can have its own resolver in OCI which allows you to resolve names within your VCN and the Internet. Before Private DNS, If you wanted to resolve names on-prem, or another VCN you will have to deploy your own DNS solution or use hostnames which is not scalable.
With the implementation of Private DNS, you can establish a peering relationship with other DNS resolvers located on-prem or other VCNs.
If you want to know more about VCNs in OCI, read our blog Networking In Oracle Cloud (OCI): VCN, Subnet, Gateways, Peering, Transit Routing
Oracle Cloud Infrastructure DNS Service
When a user types a URL into a browser, that URL gets translated into a specific IP address and this executes a DNS query from the user end. Every domain name (or say URL) is mapped to an IP address. OCI DNS service maps domain names (like www.k21academy.com) to IP addresses for resources available in OCI, third-party or private networks.
Before Private DNS, there were only 2 choices for resolving a DNS record inside a VCN. These choices can be made at the subnet level for each subnet in the VCN:
-
Default Choice: Internet & VCN Resolver:
1. Internet Resolver: This helps instances resolve hostnames that are publicly available on the internet. The instances need not required to have internet access.
2. VCN Resolver: This helps instances resolve hostnames of other instances in the same VCN. -
Custom Resolver: This uses Oracle DNS servers to resolve hostnames.
By default, the Internet and VCN Resolver does not let instances resolve the hostnames of hosts in your on-premises network, this can only be done using custom resolver or VCN’s private DNS resolver.
Private DNS Overview
Private DNS provides DNS resolution of custom DNS domains within your VCN. These domains can be within OCI, between VCNs, and between VCN and on-premise or other private networks. Private DNS also provides DNS resolution across networks (for example, another VCN within the same region, cross-region, or external network).
Let’s talk about the concepts related to Private DNS:
Private DNS Zones
Private DNS zones contain records for private/custom domains and are accessible from within a VCN by a private IP address. A private DNS zone resolves queries coming from clients that can reach it through a VCN. Private DNS allows creating duplicate zones across multiple VCNs. It supports split-horizon allowing you to use the same domain name for public and private zones so that different answers can be provided for public queries versus private queries from within your VCN.
Private DNS Views
A private DNS view is a collection of private zones. A zone can only belong to a single view and is accessible through a view. A view allows you to share private DNS data with DNS resolver which in turn resolves DNS queries and sends a response. A view can be used by many resolvers.
Private DNS Resolver
A private DNS resolver provides responses to DNS queries for a VCN per configuration you create. When you create a VCN and select the Use DNS hostnames in this VCN option, it will create a dedicated private DNS resolver and a default private view with system-managed zones. A private DNS resolver handles internal DNS queries for your VCN based on private views and the private zones that you created and the rules you define for the resolver.
Use cases for Private DNS
Following are the use cases supported for OCI Private DNS:
- Custom Private Zones: Customers can create and manage their own custom private zones and records.
- Private DNS resolution within a VCN: Allows resolving DNS queries from within a VCN
- Split Horizon: It allows you to use the same domain name for public and private zones. Different answers can be served for public queries versus private queries from within your VCN.
- Private DNS resolution Across VCNs: Resolve DNS queries between peered VCNs (local, cross-region, and cross-tenancy)
- Private DNS resolution between VCN and on-prem: Resolve DNS queries between a VCN and an on-premise network.
Let’s take a closer look at two of these use case scenarios.
Private DNS Zones
You can now create private DNS zones on OCI and provide DNS resolution services to your cloud resources and services. As shown in the below diagram, these zones can be a custom private name provided by you (such as ocizone.internal) or an external domain that you own. Private DNS zones only resolve DNS queries coming from resources within the VCN.
Hybrid DNS & Conditional Forwarding
Hybrid DNS is an overlay deployment of DNS forwarders to resolve DNS names of instances in the VCN from on-premises clients and vice-versa when the on-premises datacenter is connected with the VCN (through VPN or FastConnect). Now there is no need for Hybrid DNS deployment as the same can be implemented with Private DNS support for conditional forwarding which provides a policy-driven approach to name resolution across OCI and on-premise.
Conditional forwarding allows Private DNS to act as a native cloud service by providing DNS name resolution integration not only between OCI and on-prem but also across multiple VCNs or OCI tenancies.
Case Study
The following example shows a customer who has configured private DNS resolvers on their VCN. When an OCI instance in the VCN asks for resolution of an on-premises instance:
1. Instance in the VCN initiates a DNS query (say app4.onprem.internal)
2. Private DNS resolver configured in the VCN’s subnet will receive the DNS request.
3. Private DNS resolver forwards the query to on-premises DNS server (10.0.1.5) over private connectivity (VPN Connect or Fastconnect) based on the DNS policy configured,
4. Private DNS resolver gets the response and sends it back to OCI instance.
Private DNS in Cloud Console
Before start working with Private DNS, you have to make sure you have the required permissions to access and create DNS resources in your compartment or tenancy. If you are not the administrator, you have to request the admin to give you permissions to manage private DNS:
Allow group <GroupName> to manage dns in tenancy where target.dns.scope = 'private'
Read our blog to know more about Overview Of Policy & How It Work In Oracle Cloud (OCI)
Let’s see how you can create a private zone and private views in the cloud console.
Create a Private Zone
1. Open the navigation menu. Under Core Infrastructure, go to Networking, click on DNS Management.
2. Click Zones. Then click the Private Zones tab and click Create Zone.
3. In the dialog box, enter the required details, and once done, click create.
- Zone Name: Enter a friendly name of the zone you want to create.
- Create in Compartment: Select an appropriate compartment.
- Zone Type: This field is read-only.
- DNS Private View: A private zone is created within a private view.
- Select Existing Private DNS View: Select an existing private view from the drop-down menu.
- Create New Private DNS View: Enter a friendly name for the private view.
Create a Private View
2. In the Create Private View dialog box, enter the required details, and once done, click create.
- Name: Enter a friendly name of the private view you want to create.
- Create in Compartment: Select an appropriate compartment.
Conclusion
In this blog, we discussed OCI DNS service and its newest addition Private DNS. We briefly discussed all the concepts related to Private DNS such as Private zones, Private views, Private DNS resolvers, and how to create them using Cloud Console.
Private DNS can be used to manage the private assets in OCI, as well as support DNS resolution between VCNs and between VCNs and on-premise networks.
Related/References
- 1Z0-1072-20 | Oracle Cloud Infrastructure 2020 Architect Associate
- What Is Region, Availability Domain (AD), Fault Domain (FD) & Realm In Oracle Cloud Infrastructure (OCI)
- Networking In Oracle Cloud (OCI): VCN, Subnet, Gateways, Peering, Transit Routing
- Traffic Management In Oracle Cloud Infrastructure (OCI)
Next Task For You
Begin your journey towards becoming an Oracle Cloud Architect by Joining the FREE Masterclass on How To Become Oracle Cloud Architect in 8 Weeks.
Click on the image below to Register for the FREE Masterclass NOW!
The post Private DNS In Oracle Cloud (OCI) appeared first on Cloud Training Program.