Integrating Cloud DNS and a corporate DNS service
If you have your own corporate networks connected to your Yandex Cloud internal networks via Yandex Cloud Interconnect, you can integrate your corporate DNS with Cloud DNS. This will allow you to access resources and services by name both in corporate and cloud networks.
You cannot delegate Yandex Cloud private zone DNS record management to your corporate DNS servers, because private zone NS records are ignored. To ensure that domain names of private zone services and resources are recognized, configure separate DNS forwarders in your cloud subnets. DNS forwarder is a DNS server forwarding requests that cannot be resolved locally to an external DNS server. We recommend CoreDNS
Warning
Some DNS forwarders use their own settings to determine which DNS requests to resolve. In this case, you should specify only existing Cloud DNS zones in their settings. For example, you need to configure redirects for records residing in a shared .
zone.
To set up DNS resolution for your corporate services and Yandex Cloud resources:
- Read an integration example description.
- Set up cloud DNS.
- Set up your corporate DNS servers.
- Test the service.
If you no longer need the resources you created, delete them.
Integration solution example
-
The corporate network consists of two subnets:
172.16.1.0/24
and172.16.2.0/24
. -
Each subnet hosts a DNS server:
172.16.1.5
: ns1.corp.example.net172.16.2.5
: ns2.corp.example.net
These servers manage the
corp.example.net
DNS zone. -
The Yandex Cloud network also consists of two subnets:
172.16.3.0/24
:subnet3
in theru-central1-d
availability zone.172.16.4.0/24
:subnet4
in theru-central1-b
availability zone.
These subnets host
172.16.3.2
and172.16.4.2
Yandex Cloud DNS servers.These servers manage private DNS zones in your cloud network.
-
All corporate network subnets are accessible from the cloud network subnets, and vice versa.
Next, in your cloud network, you need to set up two DNS forwarders:
172.16.3.5
: forwarder1.internal172.16.4.5
: forwarder2.internal
They will redirect DNS requests as follows:
corp.example.net
zone requests will go to the172.16.1.5
and172.16.2.5
corporate DNS servers.- The rest, i.e.,
.
zone requests, will go to the172.16.3.2
and172.16.4.2
Yandex Cloud internal DNS servers.
To ensure fault tolerance, DNS forwarders will be placed behind an internal Yandex Network Load Balancer routing DNS requests from both your cloud and your corporate network.
Getting started
-
To install DNS forwarders in
subnet3
andsubnet4
, create a VM running an Ubuntu 20.04 public image with the following settings:- Name:
forwarder1
: For the VM insubnet3
.forwarder2
: For the VM insubnet4
.
- Under Network settings:
- Public IP address:
No address
- Internal IPv4 address: Select
Manual
and specify:172.16.3.5
forforwarder1
.172.16.4.5
forforwarder2
.
- Public IP address:
- Name:
-
To test the
subnet4
-hosted service from the internet, create another Ubuntu 20.04 VM with the following settings:- Name:
test1
- Under Network settings:
- Public IP address:
Auto
- Internal IPv4 address:
Auto
- Public IP address:
- Name:
-
Set up a NAT gateway providing internet access to
subnet3
andsubnet4
, so you can download required software on the VMs residing there.
Required paid resources
The infrastructure support costs include:
- Fee for a continuously running VM (see Yandex Compute Cloud pricing).
- Fee for a dynamic or static public IP address (see Yandex Virtual Private Cloud pricing).
- Fee for using a network load balancer (see Yandex Network Load Balancer pricing).
Set up cloud DNS
Set up DNS forwarders
-
Connect to the DNS forwarder VM from the
test1
VM over SSH. -
Download the latest
CoreDNS
version from GitHub and install it:cd /var/tmp && wget <package_URL> -O - | tar -zxvf sudo mv coredns /usr/local/sbin
-
Create a
CoreDNS
configuration file:-
forwarder1
:sudo mkdir /etc/coredns sudo tee >> /etc/coredns/Corefile <<EOF corp.example.net { forward . 172.16.1.5 172.16.2.5 } . { forward . 172.16.3.2 health } EOF
-
forwarder2
:sudo mkdir /etc/coredns sudo tee >> /etc/coredns/Corefile <<EOF corp.example.net { forward . 172.16.1.5 172.16.2.5 } . { forward . 172.16.4.2 health } EOF
-
-
Enable running
CoreDNS
at boot:sudo tee >> /etc/systemd/system/coredns.service <<EOF [Unit] Description=CoreDNS After=network.target [Service] User=root ExecStart=/usr/local/sbin/coredns -conf /etc/coredns/Corefile StandardOutput=append:/var/log/coredns.log StandardError=append:/var/log/coredns.log RestartSec=5 Restart=always [Install] WantedBy=multi-user.target EOF sudo systemctl enable --now coredns
-
Disable system DNS resolution to delegate it to the local DNS forwarder by running the following commands:
sudo systemctl disable --now systemd-resolved rm /etc/resolv.conf echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
-
Connect to the DNS forwarder VM from the
test1
VM over SSH. -
Install the
unbound
package:sudo apt update && sudo apt install --yes unbound
-
Configure and restart the DNS forwarder:
unbound.conf for forwarder1
sudo tee -a /etc/unbound/unbound.conf <<EOF server: module-config: "iterator" interface: 0.0.0.0 access-control: 127.0.0.0/8 allow access-control: 172.16.0.0/21 allow forward-zone: name: "corp.example.net" forward-addr: 172.16.1.5 forward-addr: 172.16.2.5 forward-zone: name: "." forward-addr: 172.16.3.2 EOF
unbound.conf for forwarder2
sudo tee -a /etc/unbound/unbound.conf <<EOF server: module-config: "iterator" interface: 0.0.0.0 access-control: 127.0.0.0/8 allow access-control: 172.16.0.0/21 allow forward-zone: name: "corp.example.net" forward-addr: 172.16.1.5 forward-addr: 172.16.2.5 forward-zone: name: "." forward-addr: 172.16.4.2 EOF
-
Restart Unbound:
sudo systemctl restart unbound
-
Disable system DNS resolution to delegate it to the local DNS forwarder by running the following commands:
sudo systemctl disable --now systemd-resolved rm /etc/resolv.conf echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
Set up Network Load Balancer
Create an internal network load balancer with the following settings:
Note
-
Type:
Internal
-
Under Listeners:
- Subnet: Select
subnet3
from the list. - Protocol:
UDP
- Port:
53
- Target port:
53
- Subnet: Select
-
Under Target groups:
-
Create a group including
forwarder1
andforwarder2
. -
Under Health check, specify the following settings:
CoreDNSUnbound- Type:
HTTP
- Path:
/health
- Port:
8080
- Type:
TCP
- Port:
53
- Type:
-
Once you create a load balancer, it will automatically receive an IP address within the subnet3
range.
Note
The internal network load balancer will not respond to DNS requests from forwarders that make up its target group, i.e., forwarder1
and forwarder2
. This is due to its implementation. For more information, see Network load balancer types.
Set up DHCP
To ensure that your cloud network hosts automatically use your corporate DNS service, specify the following DHCP settings for subnet3
and subnet4
:
- Domain name servers: Network load balancer IP address.
- Domain name:
corp.example.net
(optional).
Update forwarder1
, forwarder2
, and test1
network settings by running the following command:
sudo netplan apply
Once the network settings are updated, the cloud network hosts will use the load balancer instead of the Yandex Cloud DNS server.
Set up your corporate DNS servers
Configure your corporate DNS servers to forward Yandex Cloud private zone DNS queries to the load balancer IP address.
Test the service
-
From
forwarder1
,forwarder2
, andtest1
cloud hosts, check thatcorp.example.net
private zone domain names are resolved:host ns1.corp.example.net ns1.corp.example.net has address 172.16.1.5
-
From
forwarder1
,forwarder2
, andtest1
cloud hosts, check that public domain names are resolved:host cisco.com cisco.com has address 72.163.4.185 ...
-
Check that internal Yandex Cloud domain names are resolved on your corporate DNS servers,
ns1
andns2
:host ns.internal ns.internal has address 10.130.0.2
-
To make sure the services run at boot, restart the
forwarder1
,forwarder2
, andtest1
VMs and repeat the checks.
How to delete the resources you created
To stop paying for the resources:
- Delete the VM.
- If you reserved static public IP addresses for this tutorial, delete them.
- Delete the target groups.
- Delete the listeners.
- Delete the network load balancer.
- Delete the subnets.
- Delete the route table.
- Delete the NAT gateway.
- Delete the networks.