Integrating Cloud DNS and a corporate DNS service
If you have your own corporate networks connected to internal networks in your Yandex Cloud cloud via Yandex Cloud Interconnect, you can integrate your corporate DNS with Cloud DNS. This will allow you to access resources and services by name, regardless of their location, both in corporate and cloud networks.
You cannot delegate DNS record management in private zones in Yandex Cloud to your DNS servers in the corporate network, because NS records are ignored for private DNS zones. To ensure domain name recognition for cloud network services and resources in private zones, configure separate DNS forwarders in your cloud subnets. DNS forwarders are DNS servers that redirect requests differently depending on the name specified in the request. We recommend CoreDNS
Warning
Some DNS forwarders map the location of zones in Cloud DNS to their own settings when validating responses. In this case, specify only existing Cloud DNS zones in the settings. For example, if records reside in shared zone .
, configure redirects for that zone.
To set up name recognition for corporate services and resources in Yandex Cloud cloud networks:
- Read an integration example description.
- Set up cloud DNS.
- Set up corporate DNS servers.
- Test the service.
If you no longer need the resources you created, delete them.
Integration example
-
The corporate network consists of two subnets:
172.16.1.0/24
and172.16.2.0/24
. -
Each subnet has one DNS server:
172.16.1.5
: ns1.corp.example.net172.16.2.5
: ns2.corp.example.net
These servers serve the
corp.example.net
DNS zone. -
The Yandex Cloud cloud network also consists of two subnets:
172.16.3.0/24
:subnet3
, availability zoneru-central1-d
.172.16.4.0/24
:subnet4
, availability zoneru-central1-b
.
These subnets host Yandex Cloud DNS servers:
172.16.3.2
and172.16.4.2
.These servers serve the cloud network's private DNS zones.
-
The corporate and cloud networks are interconnected so that all subnets of one network are accessible from subnets of the other network, and vice versa.
Next, you need to set up two DNS forwarders in the cloud network:
172.16.3.5
: forwarder1.internal172.16.4.5
: forwarder2.internal
They will redirect DNS requests as follows:
- Requests to the
corp.example.net
zone via corporate DNS servers172.16.1.5
and172.16.2.5
. - Other requests (to zone
.
) via internal Yandex Cloud DNS servers to the corresponding subnets:172.16.3.2
and172.16.4.2
.
To ensure fault tolerance for DNS forwarders, they will be placed behind the internal network load balancerYandex Network Load Balancer. All requests to DNS forwarders (both from the cloud network and from the corporate network) will pass through this load balancer.
Getting started
-
To install DNS forwarders in each cloud subnet,
subnet3
andsubnet4
, create a VM from a Ubuntu 20.04 public image with the following parameters:- Name:
forwarder1
for the VM insubnet3
.forwarder2
for the VM insubnet4
.
- Under Network settings:
- Public IP:
No address
. - Internal IPv4 address: Select
Manual
and specify:172.16.3.5
forforwarder1
.172.16.4.5
forforwarder2
.
- Public IP:
- Name:
-
To connect from the internet and check the service in
subnet4
, create another VM instance from the Ubuntu 20.04 public image, with the following parameters:- Name:
test1
. - Under Network settings:
- Public IP:
Auto
. - Internal IPv4 address:
Auto
.
- Public IP:
- Name:
-
To install software from the internet in
subnet3
andsubnet4
, set up a NAT gateway.
Required paid resources
The infrastructure support costs include:
- Fee for a continuously running VM (see Yandex Compute Cloud pricing).
- Fee for using a dynamic or static external IP address (see Yandex Virtual Private Cloud pricing).
- Fee for using a network load balancer (see Yandex Network Load Balancer pricing).
Set up cloud DNS
Set up DNS forwarders
-
Connect to the VM to install a DNS forwarder via the
test1
intermediate VM. -
Download the current
CoreDNS
version from the vendor's page and install it:cd /var/tmp && wget <package_URL> -O - | tar -zxvf sudo mv coredns /usr/local/sbin
-
Create a configuration file for
CoreDNS
:-
forwarder1
:sudo mkdir /etc/coredns sudo tee >> /etc/coredns/Corefile <<EOF corp.example.net { forward . 172.16.1.5 172.16.2.5 } . { forward . 172.16.3.2 health } EOF
-
forwarder2
:sudo mkdir /etc/coredns sudo tee >> /etc/coredns/Corefile <<EOF corp.example.net { forward . 172.16.1.5 172.16.2.5 } . { forward . 172.16.4.2 health } EOF
-
-
Enable automatic startup for
CoreDNS
:sudo tee >> /etc/systemd/system/coredns.service <<EOF [Unit] Description=CoreDNS After=network.target [Service] User=root ExecStart=/usr/local/sbin/coredns -conf /etc/coredns/Corefile StandardOutput=append:/var/log/coredns.log StandardError=append:/var/log/coredns.log RestartSec=5 Restart=always [Install] WantedBy=multi-user.target EOF sudo systemctl enable --now coredns
-
Disable the DNS name resolution system service to delegate its function to the local DNS forwarder. In Ubuntu 20.04, this can be done with the commands:
sudo systemctl disable --now systemd-resolved rm /etc/resolv.conf echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
-
Connect to the VM of the DNS forwarder via the
test1
intermediate VM. -
Install the
unbound
package:sudo apt update && sudo apt install --yes unbound
-
Set up and restart the DNS forwarder:
unbound.conf for forwarder1
sudo tee -a /etc/unbound/unbound.conf <<EOF server: module-config: "iterator" interface: 0.0.0.0 access-control: 127.0.0.0/8 allow access-control: 172.16.0.0/21 allow forward-zone: name: "corp.example.net" forward-addr: 172.16.1.5 forward-addr: 172.16.2.5 forward-zone: name: "." forward-addr: 172.16.3.2 EOF
unbound.conf for forwarder2
sudo tee -a /etc/unbound/unbound.conf <<EOF server: module-config: "iterator" interface: 0.0.0.0 access-control: 127.0.0.0/8 allow access-control: 172.16.0.0/21 allow forward-zone: name: "corp.example.net" forward-addr: 172.16.1.5 forward-addr: 172.16.2.5 forward-zone: name: "." forward-addr: 172.16.4.2 EOF
-
Restart Unbound:
sudo systemctl restart unbound
-
Disable the DNS name resolution system service to delegate its function to the local DNS forwarder. In Ubuntu 20.04, this can be done with the commands:
sudo systemctl disable --now systemd-resolved rm /etc/resolv.conf echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
Set up the Network Load Balancer network load balancer
Create an internal network load balancer with the following parameters:
Note
-
Type:
Internal
. -
Under Listeners:
- Subnet: Select
subnet3
from the list. - Protocol:
UDP
. - Port:
53
. - Target port:
53
.
- Subnet: Select
-
Under Target groups:
-
Create a group consisting of hosts
forwarder1
andforwarder2
. -
Under Health check, specify the parameters:
CoreDNSUnbound- Type:
HTTP
. - Path:
/health
. - Port:
8080
.
- Type:
TCP
. - Port:
53
.
- Type:
-
When you create a load balancer, it will automatically get an IP address from subnet3
.
Note
The internal network load balancer will not respond to DNS requests from forwarders that make up its target group, i.e., forwarder1
and forwarder2
. This has to do with its implementation. For more information, see Network load balancer types.
Set up DHCP
For your cloud network hosts to automatically use the corporate DNS service, specify the following in the DHCP settings for subnet3
and subnet4
:
- Domain name servers: IP address that was assigned to the load balancer.
- (Optional) Domain name:
corp.example.net
.
To update the network settings on the forwarder1
, forwarder2
, and test1
hosts, run the following command:
sudo netplan apply
Once the network settings are updated, the hosts in the cloud network will use the load balancer instead of the Yandex Cloud DNS server.
Set up corporate DNS servers
Configure the corporate servers so that DNS queries to the Yandex Cloud private zones private zones are forwarded to the IP address that was assigned to the load balancer.
Test the service
-
Check that domain names are resolved in the
corp.example.net
private zone on cloud hostsforwarder1
,forwarder2
, andtest1
:host ns1.corp.example.net ns1.corp.example.net has address 172.16.1.5
-
Check that domain names are resolved in public zones on cloud hosts
forwarder1
,forwarder2
, andtest1
, for example:host cisco.com cisco.com has address 72.163.4.185 ...
-
Check that internal Yandex Cloud names are resolved on corporate DNS servers
ns1
andns2
, for example:host ns.internal ns.internal has address 10.130.0.2
-
To make sure that the services start up automatically, restart the
forwarder1
,forwarder2
, andtest1
VMs and repeat the checks.
How to delete the resources you created
To stop paying for the resources:
- Delete the VM.
- Delete the static public IP addresses if you reserved them specifically for your VMs.
- Delete the target groups.
- Delete the listeners.
- Delete the network load balancer.
- Delete the subnets.
- Delete the route table.
- Delete the NAT gateway.
- Delete the networks.