Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Configuring DNS connectivity between Yandex BareMetal and Yandex Virtual Private Cloud to access Managed Service for PostgreSQL via FQDN

Written by
Updated at March 30, 2026

Using fully qualified domain names (FQDNs) to connect to cloud services such as Yandex Managed Service for PostgreSQL is a best practice which helps to achive infrastructure abstraction and process automation. FQDNs remain constant, while IP addresses may change when you scale, restore, or migrate services.

However, if a server in the BareMetal segment is connected to the cloud via Yandex Cloud Interconnect, you will have an issue resolving FQDNs of cloud services, since direct DNS queries from an external subnet get blocked.

To resolve this issue, we recommend deploying an intermediate VM in the same subnet as the Managed Service for PostgreSQL cluster to act as a Bind9-based DNS forwarder. This server will accept DNS requests from the BareMetal server, forward them to Yandex Cloud DNS, and return responses to the client, ensuring correct resolution of the cloud service FQDNs.

To configure DNS connectivity:

  1. Set up your infrastructure.
  2. Configure a DNS forwarder on a VM.
  3. Configure a DNS client on the BareMetal server.
  4. Test FQDN access to the Managed Service for PostgreSQL cluster.
  5. Check the result.

If you no longer need the resources you created, delete them.

Set up your infrastructure

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can create or select a folder for your infrastructure on the cloud page.

Learn more about clouds and folders here.

The solution support costs include:

Create a Managed Service for PostgreSQL cluster

  1. In the management console, select the folder where you want to create a cluster.

  2. In the list of services, select Managed Service for PostgreSQL.

  3. Click Create cluster.

  4. Configure the cluster:

    • Cluster name: Specify the cluster name.
    • Database: Specify the database name, username, and password.
    • Network settings: Select the availability zones and subnets.

  5. Click Create cluster.

    Note

    Creating a Managed Service for PostgreSQL cluster automatically creates a private DNS zone, mdb.yandexcloud.net, where DNS records for cluster hosts are generated. Host FQDNs have the c-<cluster_ID>-<host_number>.mdb.yandexcloud.net format. Inside the zone, DNS records for the database are automatically created as well, e.g., 10.129.0.29 for the master and 10.130.0.15 for the replica.

For more information on creating a cluster, see this guide.

Create a VM for a DNS forwarder

  1. In the management console, select the folder where you want to create a VM.
  2. In the list of services, select Compute Cloud.
  3. In the left-hand panel, select Virtual machines.
  4. Click Create virtual machine.
  5. Under General information, enter the VM name.
  6. Under Boot disk image, select the Ubuntu 22.04 LTS image.
  7. Under Network settings:
    • In the Subnet field, select the subnet where the Managed Service for PostgreSQL cluster hosts are located, e.g., 10.129.0.0/24.
    • Enter the VM internal IP address, e.g., 10.129.0.10.
    • Make sure the availability zone matches the zone hosting the Managed Service for PostgreSQL cluster, e.g., ru-central1-b.
  8. Click Create VM.

For more information on creating a VM, see this guide.

Rent a BareMetal server

  1. In the management console, select the folder for the server you want to rent.
  2. In the list of services, select BareMetal.
  3. Click Lease server.
  4. Set up the server:
    • Select the appropriate server configuration.
    • Assign or get a private IP address over DHCP, e.g., 172.16.2.2.
  5. Click Lease server.

For more information on renting a server, see this guide.

Configure network connectivity

Configure connectivity between the BareMetal and Virtual Private Cloud subnets via Yandex Cloud Interconnect:

  1. Create a Virtual Private Cloud network with subnets in the availability zones you need.
  2. Create a BareMetal private subnet.
  3. Configure a connection via Yandex Cloud Interconnect between the BareMetal subnet and the Virtual Private Cloud subnet hosting the Managed Service for PostgreSQL cluster.

For more information on setting up network connectivity, see this guide.

The examples below use the following parameters:

  • BareMetal subnet: 172.16.2.0/24

  • BareMetal server IP address: 172.16.2.2

  • Virtual Private Cloud subnet with Managed Service for PostgreSQL hosts: 10.129.0.0/24

  • Bind9 VM IP address: 10.129.0.10

  • Virtual Private Cloud DNS resolvers: 10.129.0.2 and 10.130.0.2

    Note

    Virtual Private Cloud DNS resolvers have addresses of the 10.X.0.2 type, where X is the subnet number. Each subnet in Virtual Private Cloud has its own DNS resolver available.

Create a security group for the DNS forwarder

  1. In the management console, select the folder where you are deploying your infrastructure.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Security groups and click Create security group.

  4. In the Name field, specify dns-forwarder-sg.

  5. In the Network field, select the network the Bind9 VM resides in.

  6. Under Rules, create the following traffic management rules:

    Traffic
    direction    		 Description Port range Protocol Source /
    Destination name    		 CIDR blocks /
    Security group
    Inbound dns-udp 53 UDP CIDR 172.16.2.0/24
    Inbound dns-tcp 53 TCP CIDR 172.16.2.0/24
    Outbound dns-udp-forward 53 UDP CIDR 10.129.0.0/24
    Outbound dns-tcp-forward 53 TCP CIDR 10.129.0.0/24
    Outbound dns-udp-forward 53 UDP CIDR 10.130.0.0/24
    Outbound dns-tcp-forward 53 TCP CIDR 10.130.0.0/24

    Note

    This example uses the 10.129.0.0/24 and 10.130.0.0/24 subnets hosting the 10.129.0.2 and 10.130.0.2 DNS resolvers. Replace them with the subnets of your Virtual Private Cloud subnet DNS resolvers. Virtual Private Cloud DNS resolvers have addresses of the 10.X.0.2 type, where X is the subnet number.

  7. If required, add a rule for SSH access to the VM:

    Traffic
    direction    		 Description Port range Protocol Source /
    Destination name    		 CIDR blocks /
    Security group
    Ingress ssh 22 TCP CIDR <administrative_subnet_CIDR>

  8. Click Create.

Configure a DNS forwarder on a VM

  1. Connect to the VM over SSH.

  2. Install Bind9:

    sudo apt update
sudo apt install -y bind9 bind9-utils dnsutils

  3. Open the /etc/bind/named.conf.options file and specify the forwarding options:

    sudo nano /etc/bind/named.conf.options

    Configuration example:

    options {
  directory "/var/cache/bind";

  recursion yes;
  allow-recursion {
    172.16.2.0/24;
    localhost;
  };
  allow-query {
    172.16.2.0/24;
    localhost;
  };

  forwarders {
    10.129.0.2;
    10.130.0.2;
  };

  dnssec-validation auto;
  listen-on { any; };
  listen-on-v6 { any; };
};

  4. Check the configuration and restart the service:

    sudo named-checkconf
sudo systemctl restart bind9
sudo systemctl enable bind9

  5. Make sure the service is running:

    sudo systemctl status bind9 --no-pager

  6. If your VM is running the systemd-resolved local resolver which overwrites /etc/resolv.conf, configure it to work with Bind9:

    sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo mv /etc/resolv.conf /etc/resolv.conf.backup

    Create a static /etc/resolv.conf file:

    sudo nano /etc/resolv.conf

    Add a record:

    nameserver 127.0.0.1

  7. Set up a nameserver in Ubuntu. Edit the /run/systemd/resolve/stub-resolv.conf file:

    sudo nano /run/systemd/resolve/stub-resolv.conf

    Set nameserver to 127.0.0.1.

  8. Test the forwarder locally:

    dig @127.0.0.1 NS mdb.yandexcloud.net +short

    The response should include the zone's DNS server addresses.

    Alternative check:

    dig @127.0.0.1 yandex.ru +short

    If forwarding is configured correctly, this command will return the domain's IP address.

Configure a DNS client on the BareMetal server

  1. Connect to the BareMetal server over SSH.

  2. Set the Bind9 VM's IP address as the DNS server:

    sudo nano /etc/resolv.conf

    Here is an example:

    nameserver 10.129.0.10

  3. If /etc/resolv.conf is managed by a system service, set DNS persistently.

    Option 1: Use the systemd-resolve command for a specific interface:

    sudo systemd-resolve --interface ethXX --set-dns 10.129.0.10

    Where ethXX is the private network interface.

    Option 2: Edit the /etc/systemd/resolved.conf file:

    sudo nano /etc/systemd/resolved.conf

    Specify the following:

    [Resolve]
DNS=10.129.0.10
Domains=~.

    Apply the settings:

    sudo systemctl restart systemd-resolved

  4. Test DNS resolution:

    dig mdb.yandexcloud.net +short

    Test resolution of the Managed Service for PostgreSQL cluster host FQDN:

    dig c-<cluster_ID>-<host_number>.mdb.yandexcloud.net +short

    The commands should return cluster host IP addresses from the Virtual Private Cloud subnet, e.g., 10.129.0.29 for the master and 10.130.0.15 for the replica.

Test FQDN access to the Managed Service for PostgreSQL cluster

  1. Install the CA certificate:

    mkdir -p ~/.postgresql && \
wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
  --output-document ~/.postgresql/root.crt && \
chmod 0600 ~/.postgresql/root.crt

  2. Install the PostgreSQL client:

    sudo apt update && sudo apt install -y postgresql-client

  3. Connect to the database using FQDNs:

    psql "host=<master_FQDN>,<replica_FQDN> port=6432 sslmode=verify-full dbname=<DB_name> user=<user_name> target_session_attrs=read-write"

    You can find the connection parameters for your cluster in the management console on the Managed Service for PostgreSQL cluster page.

Check the result

After you complete the setup:

  1. The server in the BareMetal segment successfully resolves domain names in the mdb.yandexcloud.net zone.
  2. Managed Service for PostgreSQL сluster host FQDNs are resolved to Virtual Private Cloud IP addresses.
  3. PostgreSQL connection is established using the FQDNs, so you do not need to manually specify IP addresses.

Warning

  • Use static IP addresses for the DNS forwarder VM and the BareMetal server to avoid DNS resolution issues upon restart.

  • Regularly check Bind9 logs to detect issues with DNS requests:

    sudo journalctl -u bind9 -f

  • If you change the subnet hosting the Managed Service for PostgreSQL cluster, update the DNS resolver addresses in the forwarders Bind9 configuration parameter.

How to delete the resources you created

To stop using resources and avoid additional costs:

  1. Delete the VM with the DNS forwarder.
  2. Delete the security group created for the DNS forwarder.
  3. If you no longer need the test cluster, delete the Managed Service for PostgreSQL cluster.
  4. If you used Yandex Cloud Interconnect to set up connectivity for testing purposes only, delete the associated network settings and Cloud Interconnect resources.
Previous
Connecting a BareMetal server as an external node to a Managed Service for Kubernetes cluster
Next
Pricing policy