I’ve wanted to write something about this topic for quite a while and finally OCI has released it’s first step of Private DNS capabilities!
Why do I think this is a big thing? For example let’s say you need to have Hub & Spoke model with multiple VCNs, if you’ve wanted to resolve hostnames between VCNs you’ve might had to implement DNS forwarders and play around with different options to get it working.
Or you want to use your own hostnames but some subnets which have Exadata or VM RAC DBCS don’t support anything else than oraclevcn.com. To be honest they still don’t but this is just the first step. At least now you will have more options with DNS and how to configure.
This post will be part one of the two-part series. On second part I’ll look DNS between VCN’s and some use cases how one could use it.
This post will examine following:
From the documentation before starting I would read about Private DNS and Private DNS in your VCN. Reading these didn’t actually make the whole implementation as clear as possible which I’m hoping Oracle will address later on.
High-level steps for below are (assuming VCN exists):
There are few key components which will be good to understand:
I’ve started by creating a VCN with one public subnet. This VCN will have two private views, one which is the default (vcn-thatfinnishguy) and custom view (private-view-thatfinnishguy-domain) which will have an additional Private Zone as well.
I’ll also create Private Zone for the Private View. This one will have domain (made up thatfinnishguy.com) which will be used to insert A records to specific IP’s.
After creating Zone I can see my Private Zones and which View they belong to. You can see two on the bottom are the ones created automatically when creating a VCN.
I’ve created two free tier compute instances in my VCN on the same subnet. What I’ll do next I’ll check the IP addresses of the compute instances and modify those IP’s to have A record in my Private Zone.
When you add a record there are multiple different records you can choose from, I’ve just selected A record to keep this example simple (for me!)
I’ve added both records now and they are visible in the Console. For this test I used TTL of 30 seconds without further consideration but it’s probably something you want to specify accordingly in real life case.
Remember to PUBLISH CHANGES after creation, otherwise they won’t be in play. Luckily OCI Console reminds you this when you are navigating off.
There is still one more step which is needed, associate custom View with our VCN resolver. From the Console you can see VCN Resolver when you navigate to your VCN.
Now it’s time to test, what if I do nslookup from server 1 with tfg-2.
[opc@tfg-2 ~]$ nslookup tfg-1.thatfinnishguy.com
Server: 169.254.169.254
Address: 169.254.169.254#53
Non-authoritative answer:
Name: tfg-1.thatfinnishguy.com
Address: 10.0.0.2
[opc@tfg-2 ~]$ nslookup tfg-2.thatfinnishguy.com
Server: 169.254.169.254
Address: 169.254.169.254#53
Non-authoritative answer:
Name: tfg-2.thatfinnishguy.com
Address: 10.0.0.3
From the tfg-2 server everything works but oddly enough from tfg-1 server on the same subnet I saw issue that nslookup doesn’t work.
[opc@tfg-1 ~]$ nslookup tfg-1.thatfinnishguy.com
Server: 169.254.169.254
Address: 169.254.169.254#53
Non-authoritative answer:
Name: tfg-1.thatfinnishguy.com
Address: 10.0.0.2
[opc@tfg-1 ~]$ nslookup tfg-2.thatfinnishguy.com
Server: 169.254.169.254
Address: 169.254.169.254#53
** server can't find tfg-2.thatfinnishguy.com: NXDOMAIN
Seems in this case it only took few minutes until record was active, I tried it few times and couldn’t simulate the behaviour but something to keep in mind.
There are some steps involved to get everything working and this probably needs some coordination if you have non-trivial requirements for DNS setup. I’d be very careful on designing solution so it doesn’t end up a DNS nightmare!
Also how will you manage DNS records in the long run, automation here could be a major thing as well.
I heard a good comment on this earlier, while it’s great to have Private DNS available it still feels sort of “overlay” on top of OCI DNS. Hoping that next announcements will be regarding ExaCS and RAC DBCS and also if you can get modify default domain (oraclevcn.com).
Stay tuned for part 2 as next post.
I recently came across requirement to get OCI Oracle Autonomous Database audit logs to OCI…
Last time I showed how to provision Autonomous Database Serverless (ADB-S) on Google Cloud. This…
I bet few years back folks didn't expect that by 2024 we would be able…
This will NOT be a technical walkthrough on Oracle Database@Azure but rather my opinions and…
View Comments
The Private Zone/View is associated to a single VCN at the moment.
So it's not supposed to be a global tenancy DNS for multi VCN tenancies. Each VCN point to a dedicated local VNC DNS server vcn-dns.oraclevcn.com (169.254.169.254) .
Thanks for this Simo! Just in time for my current OCI migration.