Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Integrating Cloud DNS and a corporate DNS service

Written by
Updated at September 4, 2024

If you have your own corporate networks connected to internal networks in your Yandex Cloud cloud via Yandex Cloud Interconnect, you can integrate your corporate DNS with Cloud DNS. This will allow you to access resources and services by name, regardless of their location, both in corporate and cloud networks.

You cannot delegate DNS record management in private zones in Yandex Cloud to your DNS servers in the corporate network, because NS records are ignored for private DNS zones. To ensure domain name recognition for cloud network services and resources in private zones, configure separate DNS forwarders in your cloud subnets. DNS forwarders are DNS servers that redirect requests differently depending on the name specified in the request. We recommend CoreDNS or Unbound.

Warning

Some DNS forwarders map the location of zones in Cloud DNS to their own settings when validating responses. In this case, only specify existing Cloud DNS zones in the settings. For example, if records share a . zone, configure redirects for this zone.

To set up name recognition for corporate services and resources in Yandex Cloud cloud networks:

  1. Read an integration example description.
  2. Set up cloud DNS.
  3. Set up corporate DNS servers.
  4. Run a health check for the service.

If you no longer need the resources you created, delete them.

Integration example

  1. The corporate network consists of two subnets: 172.16.1.0/24 and 172.16.2.0/24.

  2. Each subnet has one DNS server:

    • 172.16.1.5: ns1.corp.example.net
    • 172.16.2.5: ns2.corp.example.net

    These servers serve the corp.example.net DNS zone.

  3. The Yandex Cloud cloud network also consists of two subnets:

    • 172.16.3.0/24: subnet3, in the ru-central1-a availability zone.
    • 172.16.4.0/24: subnet4, in the ru-central1-b availability zone.

    These subnets host the Yandex Cloud DNS servers, 172.16.3.2 and 172.16.4.2.

    These servers serve the cloud network's private DNS zones.

  4. The corporate and cloud networks are interconnected so that all subnets of one network are accessible from subnets of the other network, and vice versa.

Next, you need to set up two DNS forwarders in the cloud network:

  • 172.16.3.5: forwarder1.internal
  • 172.16.4.5: forwarder2.internal

They will redirect DNS requests as follows:

  • Requests to the corp.example.net zone: Via corporate DNS servers, 172.16.1.5 and 172.16.2.5.
  • All other requests (to the . zone): Via internal Yandex Cloud DNS servers to the corresponding subnets, 172.16.3.2 and 172.16.4.2.

To ensure fault tolerance for DNS forwarders, they will be placed behind the internal network load balancerYandex Network Load Balancer. All requests to DNS forwarders (both from the cloud network and from the corporate network) will pass through this load balancer.

Getting started

  1. To install DNS forwarders in each cloud subnet (subnet3 and subnet4), create a VM from the Ubuntu 20.04 public image with the following parameters:

    • Name:
      • forwarder1: For the VM in subnet3.
      • forwarder2: For the VM in subnet4.
    • Under Network settings:
      • Public IP: No address.
      • Internal IPv4 address: Select Manual and specify:
        • 172.16.3.5: For the forwarder1 VM.
        • 172.16.4.5: For the forwarder2 VM.

  2. To connect from the internet and check the service in subnet4, create other VM instance from the Ubuntu 20.04 public image with the following parameters:

    • Name: test1.
    • Under Network settings:
      • Public IP: Auto.
      • Internal IPv4 address: Auto.

  3. To be able to install software from the internet in subnet3 and subnet4, set up a NAT gateway.

The infrastructure support costs include:

Set up cloud DNS

  1. Set up DNS forwarders.
  2. Set up the network load balancer.
  3. Set up DHCP.

Set up DNS forwarders

  1. Connect to the VM to install a DNS forwarder via the test1 intermediate VM instance.

  2. Download the current CoreDNS version from the developer page and install it:

    cd /var/tmp && wget <package_URL> -O - | tar -zxvf
sudo mv coredns /usr/local/sbin

  3. Create the CoreDNS configuration file:

    • forwarder1:

      sudo mkdir /etc/coredns
sudo tee >> /etc/coredns/Corefile <<EOF
corp.example.net {
  forward . 172.16.1.5 172.16.2.5
}
. {
  forward . 172.16.3.2
  health
}
EOF

    • forwarder2:

      sudo mkdir /etc/coredns
sudo tee >> /etc/coredns/Corefile <<EOF
corp.example.net {
  forward . 172.16.1.5 172.16.2.5
}
. {
  forward . 172.16.4.2
  health
}
EOF

  4. Enable automatic startup for CoreDNS:

    sudo tee >> /etc/systemd/system/coredns.service <<EOF
[Unit]
Description=CoreDNS
After=network.target

[Service]
User=root
ExecStart=/usr/local/sbin/coredns -conf /etc/coredns/Corefile
StandardOutput=append:/var/log/coredns.log
StandardError=append:/var/log/coredns.log
RestartSec=5
Restart=always

[Install]
WantedBy=multi-user.target
EOF
sudo systemctl enable --now coredns

  5. Disable the DNS name resolution system service to delegate its function to the local DNS forwarder. In Ubuntu 20.04, this can be done with the commands:

    sudo systemctl disable --now systemd-resolved
rm /etc/resolv.conf
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf

  1. Connect to the VM of DNS forwarder via the test1 intermediate VM instance.

  2. Install the unbound package:

    sudo apt update && sudo apt install --yes unbound

  3. Set up and restart the DNS forwarder:

    unbound.conf for forwarder1
    sudo tee -a /etc/unbound/unbound.conf <<EOF
server:
  module-config: "iterator"
  interface: 0.0.0.0
  access-control: 127.0.0.0/8   allow
  access-control: 172.16.0.0/21 allow

forward-zone:
  name: "corp.example.net"
  forward-addr: 172.16.1.5
  forward-addr: 172.16.2.5

forward-zone:
  name: "."
  forward-addr: 172.16.3.2
EOF
    unbound.conf for forwarder2
    sudo tee -a /etc/unbound/unbound.conf <<EOF
server:
  module-config: "iterator"
  interface: 0.0.0.0
  access-control: 127.0.0.0/8   allow
  access-control: 172.16.0.0/21 allow

forward-zone:
  name: "corp.example.net"
  forward-addr: 172.16.1.5
  forward-addr: 172.16.2.5

forward-zone:
  name: "."
  forward-addr: 172.16.4.2
EOF

  4. Restart Unbound:

    sudo systemctl restart unbound

  5. Disable the DNS name resolution system service to delegate its function to the local DNS forwarder. In Ubuntu 20.04, this can be done with the commands:

    sudo systemctl disable --now systemd-resolved
rm /etc/resolv.conf
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf

Set up the Network Load Balancer network load balancer

Create an internal network load balancer with the following parameters:

Note

By default, UDP traffic processing is disabled for the network load balancer. To enable UDP traffic processing on the network load balancer, contact support. You can learn more here.

  • Type: Internal.

  • Under Listeners:

    • Subnet: Select subnet3 from the list.
    • Protocol: UDP
    • Port: 53
    • Target port: 53

  • Under Target groups:

    • Create a group with the forwarder1 and forwarder2 hosts.

    • Under Health check, specify the parameters:

      • Type: HTTP
      • Path: /health
      • Port: 8080
      • Type: TCP
      • Port: 53

When you create a load balancer, it is automatically assigned an IP address from subnet3.

Note

The internal network load balancer will not respond to DNS requests from forwarders that make up its target group: forwarder1 and forwarder2. This is due to its implementation. For more information, see Network load balancer types.

Set up DHCP

To make sure that hosts in the cloud network automatically use the corporate DNS service, in the DHCP settings for subnet3 and subnet4, specify:

  1. Domain name servers: IP address that was assigned to the load balancer.
  2. (Optional) Domain name: corp.example.net.

To update the network settings on the forwarder1, forwarder2, and test1 hosts, run the following command:

sudo netplan apply

Once the network settings are updated, the hosts in the cloud network will use the load balancer instead of the Yandex Cloud DNS server.

Set up corporate DNS servers

Configure the corporate servers so that DNS queries to the Yandex Cloud private zones are forwarded to the IP address that was assigned to the load balancer.

Run a health check for the service

  1. Check that on the forwarder1, forwarder2, and test1 cloud hosts, domain names are resolved in the corp.example.net private zone:

    host ns1.corp.example.net
ns1.corp.example.net has address 172.16.1.5

  2. Check that on the forwarder1, forwarder2, and test1 cloud hosts, domain names are resolved in public zones, for example:

    host cisco.com
cisco.com has address 72.163.4.185
...

  3. Check that on the ns1 and ns2 corporate DNS servers, internal Yandex Cloud names are resolved, for example:

    host ns.internal
ns.internal has address 10.130.0.2

  4. To make sure that the services start up automatically, restart the forwarder1, forwarder2, and test1 VM instances and then re-run the health checks.

How to delete the resources you created

To stop paying for the resources:

Previous
Migrating DNS zones from Yandex 360
Next
Configuring Cloud DNS for access to managed database clusters from other cloud networks