Categories: cloudnetworkOCIOracle

OCI Private DNS part 1 – Configuration

I’ve wanted to write something about this topic for quite a while and finally OCI has released it’s first step of Private DNS capabilities!

Why do I think this is a big thing? For example let’s say you need to have Hub & Spoke model with multiple VCNs, if you’ve wanted to resolve hostnames between VCNs you’ve might had to implement DNS forwarders and play around with different options to get it working.

Or you want to use your own hostnames but some subnets which have Exadata or VM RAC DBCS don’t support anything else than oraclevcn.com. To be honest they still don’t but this is just the first step. At least now you will have more options with DNS and how to configure.

This post will be part one of the two-part series. On second part I’ll look DNS between VCN’s and some use cases how one could use it.

This post will examine following:

  • Create a private DNS Zone and resolve that private domain A record in your VCN

From the documentation before starting I would read about Private DNS and Private DNS in your VCN. Reading these didn’t actually make the whole implementation as clear as possible which I’m hoping Oracle will address later on.

High-level steps for below are (assuming VCN exists):

  1. Create Private DNS View
  2. Create Private DNS Zone
  3. Assign A-records to your DNS Zone
  4. Publish changes
  5. Associate your VCN resolver with Private View

Creating Private DNS View & Zone

There are few key components which will be good to understand:

  • Private DNS Zone – which contain DNS data from the VCN (like IP address)
  • Private DNS Views – this is collection of Zones, Zone can only belong to a single View.
  • Private DNS Resolver – you can assign Views to Resolver which will then resolve those DNS queries for you. Remember the order, first custom views, then default and finally from Internet. More on resolver later.

I’ve started by creating a VCN with one public subnet. This VCN will have two private views, one which is the default (vcn-thatfinnishguy) and custom view (private-view-thatfinnishguy-domain) which will have an additional Private Zone as well.

Default and Custom Private View

I’ll also create Private Zone for the Private View. This one will have domain (made up thatfinnishguy.com) which will be used to insert A records to specific IP’s.

Creating Private Zone only requires Zone Name

After creating Zone I can see my Private Zones and which View they belong to. You can see two on the bottom are the ones created automatically when creating a VCN.

Private Zones view

Creating Compute Instance and Assigning A Records

I’ve created two free tier compute instances in my VCN on the same subnet. What I’ll do next I’ll check the IP addresses of the compute instances and modify those IP’s to have A record in my Private Zone.

When you add a record there are multiple different records you can choose from, I’ve just selected A record to keep this example simple (for me!)

Different record types in OCI Private DNS

I’ve added both records now and they are visible in the Console. For this test I used TTL of 30 seconds without further consideration but it’s probably something you want to specify accordingly in real life case.

Both records added

Remember to PUBLISH CHANGES after creation, otherwise they won’t be in play. Luckily OCI Console reminds you this when you are navigating off.

There is still one more step which is needed, associate custom View with our VCN resolver. From the Console you can see VCN Resolver when you navigate to your VCN.

VCN associated with custom Private View

Now it’s time to test, what if I do nslookup from server 1 with tfg-2.

[opc@tfg-2 ~]$ nslookup tfg-1.thatfinnishguy.com
Server:		169.254.169.254
Address:	169.254.169.254#53

Non-authoritative answer:
Name:	tfg-1.thatfinnishguy.com
Address: 10.0.0.2

[opc@tfg-2 ~]$ nslookup tfg-2.thatfinnishguy.com
Server:		169.254.169.254
Address:	169.254.169.254#53

Non-authoritative answer:
Name:	tfg-2.thatfinnishguy.com
Address: 10.0.0.3

From the tfg-2 server everything works but oddly enough from tfg-1 server on the same subnet I saw issue that nslookup doesn’t work.

[opc@tfg-1 ~]$ nslookup tfg-1.thatfinnishguy.com
Server:		169.254.169.254
Address:	169.254.169.254#53

Non-authoritative answer:
Name:	tfg-1.thatfinnishguy.com
Address: 10.0.0.2

[opc@tfg-1 ~]$ nslookup tfg-2.thatfinnishguy.com
Server:		169.254.169.254
Address:	169.254.169.254#53

** server can't find tfg-2.thatfinnishguy.com: NXDOMAIN

Seems in this case it only took few minutes until record was active, I tried it few times and couldn’t simulate the behaviour but something to keep in mind.

Summary

There are some steps involved to get everything working and this probably needs some coordination if you have non-trivial requirements for DNS setup. I’d be very careful on designing solution so it doesn’t end up a DNS nightmare!

Also how will you manage DNS records in the long run, automation here could be a major thing as well.

I heard a good comment on this earlier, while it’s great to have Private DNS available it still feels sort of “overlay” on top of OCI DNS. Hoping that next announcements will be regarding ExaCS and RAC DBCS and also if you can get modify default domain (oraclevcn.com).

Stay tuned for part 2 as next post.

Simo

View Comments

  • The Private Zone/View is associated to a single VCN at the moment.
    So it's not supposed to be a global tenancy DNS for multi VCN tenancies. Each VCN point to a dedicated local VNC DNS server vcn-dns.oraclevcn.com (169.254.169.254) .

Recent Posts

Autonomous Database Audit Logs to Logging Service Part 1

I recently came across requirement to get OCI Oracle Autonomous Database audit logs to OCI…

3 weeks ago

Connecting to Autonomous Database Running on Google Cloud

Last time I showed how to provision Autonomous Database Serverless (ADB-S) on Google Cloud. This…

2 months ago

Can you believe it? Provisioning Autonomous Database in GCP!

I bet few years back folks didn't expect that by 2024 we would be able…

3 months ago

IP Address Insights with CLI

My previous post on IP Address Insights I mentioned it wasn't yet available with CLI…

7 months ago

Thoughts on Oracle Database@Azure

This will NOT be a technical walkthrough on Oracle Database@Azure but rather my opinions and…

7 months ago

OCI Vulnerability Scanning Setup

Many times when you work for someone, they already have their own vulnerability scanning throughout…

7 months ago