Integrating Cloud DNS and a corporate DNS service
If you have your own corporate networks connected to internal networks in your Yandex Cloud cloud via Yandex Cloud Interconnect, you can integrate your corporate DNS with Cloud DNS. This will allow you to access resources and services by name, regardless of their location, both in corporate and cloud networks.
You cannot delegate DNS record management in private zones in Yandex Cloud to your DNS servers in the corporate network, because NS records are ignored for private DNS zones. To ensure domain name recognition for cloud network services and resources in private zones, configure separate DNS forwarders in your cloud subnets. DNS forwarders are DNS servers that redirect requests differently depending on the name specified in the request. We recommend CoreDNS
Warning
Some DNS forwarders map the location of zones in Cloud DNS to their own settings when validating responses. In this case, only specify existing Cloud DNS zones in the settings. For example, if records share a .
zone, configure redirects for this zone.
To set up name recognition for corporate services and resources in Yandex Cloud cloud networks:
- Read an integration example description.
- Set up cloud DNS.
- Set up corporate DNS servers.
- Run a health check for the service.
If you no longer need the resources you created, delete them.
Integration example
-
The corporate network consists of two subnets:
172.16.1.0/24
and172.16.2.0/24
. -
Each subnet has one DNS server:
172.16.1.5
: ns1.corp.example.net172.16.2.5
: ns2.corp.example.net
These servers serve the
corp.example.net
DNS zone. -
The Yandex Cloud cloud network also consists of two subnets:
172.16.3.0/24
: subnet3, in theru-central1-a
availability zone.172.16.4.0/24
: subnet4, in theru-central1-b
availability zone.
These subnets host the Yandex Cloud DNS servers,
172.16.3.2
and172.16.4.2
.These servers serve the cloud network's private DNS zones.
-
The corporate and cloud networks are interconnected so that all subnets of one network are accessible from subnets of the other network, and vice versa.
Next, you need to set up two DNS forwarders in the cloud network:
172.16.3.5
: forwarder1.internal172.16.4.5
: forwarder2.internal
They will redirect DNS requests as follows:
- Requests to the
corp.example.net
zone: Via corporate DNS servers,172.16.1.5
and172.16.2.5
. - All other requests (to the
.
zone): Via internal Yandex Cloud DNS servers to the corresponding subnets,172.16.3.2
and172.16.4.2
.
To ensure fault tolerance for DNS forwarders, they will be placed behind the internal network load balancerYandex Network Load Balancer. All requests to DNS forwarders (both from the cloud network and from the corporate network) will pass through this load balancer.
Getting started
-
To install DNS forwarders in each cloud subnet (
subnet3
andsubnet4
), create a VM from the Ubuntu 20.04 public image with the following parameters:- Name:
forwarder1
: For the VM insubnet3
.forwarder2
: For the VM insubnet4
.
- Under Network settings:
- Public IP:
No address
. - Internal IPv4 address: Select
Manual
and specify:- 172.16.3.5: For the
forwarder1
VM. - 172.16.4.5: For the
forwarder2
VM.
- 172.16.3.5: For the
- Public IP:
- Name:
-
To connect from the internet and check the service in
subnet4
, create other VM instance from the Ubuntu 20.04 public image with the following parameters:- Name:
test1
. - Under Network settings:
- Public IP:
Auto
. - Internal IPv4 address:
Auto
.
- Public IP:
- Name:
-
To be able to install software from the internet in
subnet3
andsubnet4
, set up a NAT gateway.
Required paid resources
The infrastructure support costs include:
- Fee for a continuously running VM (see Yandex Compute Cloud pricing).
- Fee for using a dynamic or static external IP address (see Yandex Virtual Private Cloud pricing).
- Fee for using a network load balancer (see Yandex Network Load Balancer pricing).
Set up cloud DNS
Set up DNS forwarders
-
Connect to the VM to install a DNS forwarder via the
test1
intermediate VM instance. -
Download the current
CoreDNS
version from the developer page and install it:cd /var/tmp && wget <package_URL> -O - | tar -zxvf sudo mv coredns /usr/local/sbin
-
Create the
CoreDNS
configuration file:-
forwarder1
:sudo mkdir /etc/coredns sudo tee >> /etc/coredns/Corefile <<EOF corp.example.net { forward . 172.16.1.5 172.16.2.5 } . { forward . 172.16.3.2 health } EOF
-
forwarder2
:sudo mkdir /etc/coredns sudo tee >> /etc/coredns/Corefile <<EOF corp.example.net { forward . 172.16.1.5 172.16.2.5 } . { forward . 172.16.4.2 health } EOF
-
-
Enable automatic startup for
CoreDNS
:sudo tee >> /etc/systemd/system/coredns.service <<EOF [Unit] Description=CoreDNS After=network.target [Service] User=root ExecStart=/usr/local/sbin/coredns -conf /etc/coredns/Corefile StandardOutput=append:/var/log/coredns.log StandardError=append:/var/log/coredns.log RestartSec=5 Restart=always [Install] WantedBy=multi-user.target EOF sudo systemctl enable --now coredns
-
Disable the DNS name resolution system service to delegate its function to the local DNS forwarder. In Ubuntu 20.04, this can be done with the commands:
sudo systemctl disable --now systemd-resolved rm /etc/resolv.conf echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
-
Connect to the VM of DNS forwarder via the
test1
intermediate VM instance. -
Install the
unbound
package:sudo apt update && sudo apt install --yes unbound
-
Set up and restart the DNS forwarder:
unbound.conf for forwarder1
sudo tee -a /etc/unbound/unbound.conf <<EOF server: module-config: "iterator" interface: 0.0.0.0 access-control: 127.0.0.0/8 allow access-control: 172.16.0.0/21 allow forward-zone: name: "corp.example.net" forward-addr: 172.16.1.5 forward-addr: 172.16.2.5 forward-zone: name: "." forward-addr: 172.16.3.2 EOF
unbound.conf for forwarder2
sudo tee -a /etc/unbound/unbound.conf <<EOF server: module-config: "iterator" interface: 0.0.0.0 access-control: 127.0.0.0/8 allow access-control: 172.16.0.0/21 allow forward-zone: name: "corp.example.net" forward-addr: 172.16.1.5 forward-addr: 172.16.2.5 forward-zone: name: "." forward-addr: 172.16.4.2 EOF
-
Restart Unbound:
sudo systemctl restart unbound
-
Disable the DNS name resolution system service to delegate its function to the local DNS forwarder. In Ubuntu 20.04, this can be done with the commands:
sudo systemctl disable --now systemd-resolved rm /etc/resolv.conf echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
Set up the Network Load Balancer network load balancer
Create an internal network load balancer with the following parameters:
Note
-
Type:
Internal
. -
Under Listeners:
- Subnet: Select
subnet3
from the list. - Protocol:
UDP
- Port:
53
- Target port:
53
- Subnet: Select
-
Under Target groups:
-
Create a group with the
forwarder1
andforwarder2
hosts. -
Under Health check, specify the parameters:
CoreDNSUnbound- Type:
HTTP
- Path:
/health
- Port:
8080
- Type:
TCP
- Port:
53
- Type:
-
When you create a load balancer, it is automatically assigned an IP address from subnet3
.
Note
The internal network load balancer will not respond to DNS requests from forwarders that make up its target group: forwarder1
and forwarder2
. This is due to its implementation. For more information, see Network load balancer types.
Set up DHCP
To make sure that hosts in the cloud network automatically use the corporate DNS service, in the DHCP settings for subnet3
and subnet4
, specify:
- Domain name servers: IP address that was assigned to the load balancer.
- (Optional) Domain name:
corp.example.net
.
To update the network settings on the forwarder1
, forwarder2
, and test1
hosts, run the following command:
sudo netplan apply
Once the network settings are updated, the hosts in the cloud network will use the load balancer instead of the Yandex Cloud DNS server.
Set up corporate DNS servers
Configure the corporate servers so that DNS queries to the Yandex Cloud private zones are forwarded to the IP address that was assigned to the load balancer.
Run a health check for the service
-
Check that on the
forwarder1
,forwarder2
, andtest1
cloud hosts, domain names are resolved in thecorp.example.net
private zone:host ns1.corp.example.net ns1.corp.example.net has address 172.16.1.5
-
Check that on the
forwarder1
,forwarder2
, andtest1
cloud hosts, domain names are resolved in public zones, for example:host cisco.com cisco.com has address 72.163.4.185 ...
-
Check that on the
ns1
andns2
corporate DNS servers, internal Yandex Cloud names are resolved, for example:host ns.internal ns.internal has address 10.130.0.2
-
To make sure that the services start up automatically, restart the
forwarder1
,forwarder2
, andtest1
VM instances and then re-run the health checks.
How to delete the resources you created
To stop paying for the resources:
- Delete the VM.
- Delete the static public IP addresses if you reserved them specifically for your VMs.
- Delete the target groups.
- Delete the listeners.
- Delete the network load balancer.
- Delete the subnets.
- Delete the route table.
- Delete the NAT gateway.
- Delete the networks.