Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Integrating Cloud DNS and a corporate DNS service

Written by
Updated at March 14, 2025

If you have your own corporate networks connected to your Yandex Cloud internal networks via Yandex Cloud Interconnect, you can integrate your corporate DNS with Cloud DNS. This will allow you to access resources and services by name both in corporate and cloud networks.

You cannot delegate Yandex Cloud private zone DNS record management to your corporate DNS servers, because private zone NS records are ignored. To ensure that domain names of private zone services and resources are recognized, configure separate DNS forwarders in your cloud subnets. DNS forwarder is a DNS server forwarding requests that cannot be resolved locally to an external DNS server. We recommend CoreDNS or Unbound.

Warning

Some DNS forwarders use their own settings to determine which DNS requests to resolve. In this case, you should specify only existing Cloud DNS zones in their settings. For example, you need to configure redirects for records residing in a shared . zone.

To set up DNS resolution for your corporate services and Yandex Cloud resources:

  1. Read an integration example description.
  2. Set up cloud DNS.
  3. Set up your corporate DNS servers.
  4. Test the service.

If you no longer need the resources you created, delete them.

Integration solution example

  1. The corporate network consists of two subnets: 172.16.1.0/24 and 172.16.2.0/24.

  2. Each subnet hosts a DNS server:

    • 172.16.1.5: ns1.corp.example.net
    • 172.16.2.5: ns2.corp.example.net

    These servers manage the corp.example.net DNS zone.

  3. The Yandex Cloud network also consists of two subnets:

    • 172.16.3.0/24: subnet3 in the ru-central1-d availability zone.
    • 172.16.4.0/24: subnet4 in the ru-central1-b availability zone.

    These subnets host 172.16.3.2 and 172.16.4.2 Yandex Cloud DNS servers.

    These servers manage private DNS zones in your cloud network.

  4. All corporate network subnets are accessible from the cloud network subnets, and vice versa.

Next, in your cloud network, you need to set up two DNS forwarders:

  • 172.16.3.5: forwarder1.internal
  • 172.16.4.5: forwarder2.internal

They will redirect DNS requests as follows:

  • corp.example.net zone requests will go to the 172.16.1.5 and 172.16.2.5 corporate DNS servers.
  • The rest, i.e., . zone requests, will go to the 172.16.3.2 and 172.16.4.2 Yandex Cloud internal DNS servers.

To ensure fault tolerance, DNS forwarders will be placed behind an internal Yandex Network Load Balancer routing DNS requests from both your cloud and your corporate network.

Getting started

  1. To install DNS forwarders in subnet3 and subnet4, create a VM running an Ubuntu 20.04 public image with the following settings:

    • Name:
      • forwarder1: For the VM in subnet3.
      • forwarder2: For the VM in subnet4.
    • Under Network settings:
      • Public IP address: No address
      • Internal IPv4 address: Select Manual and specify:
        • 172.16.3.5 for forwarder1.
        • 172.16.4.5 for forwarder2.

  2. To test the subnet4-hosted service from the internet, create another Ubuntu 20.04 VM with the following settings:

    • Name: test1
    • Under Network settings:
      • Public IP address: Auto
      • Internal IPv4 address: Auto

  3. Set up a NAT gateway providing internet access to subnet3 and subnet4, so you can download required software on the VMs residing there.

The infrastructure support costs include:

Set up cloud DNS

  1. Set up DNS forwarders.
  2. Set up the network load balancer.
  3. Set up DHCP.

Set up DNS forwarders

  1. Connect to the DNS forwarder VM from the test1 VM over SSH.

  2. Download the latest CoreDNS version from GitHub and install it:

    cd /var/tmp && wget <package_URL> -O - | tar -zxvf
sudo mv coredns /usr/local/sbin

  3. Create a CoreDNS configuration file:

    • forwarder1:

      sudo mkdir /etc/coredns
sudo tee >> /etc/coredns/Corefile <<EOF
corp.example.net {
  forward . 172.16.1.5 172.16.2.5
}
. {
  forward . 172.16.3.2
  health
}
EOF

    • forwarder2:

      sudo mkdir /etc/coredns
sudo tee >> /etc/coredns/Corefile <<EOF
corp.example.net {
  forward . 172.16.1.5 172.16.2.5
}
. {
  forward . 172.16.4.2
  health
}
EOF

  4. Enable running CoreDNS at boot:

    sudo tee >> /etc/systemd/system/coredns.service <<EOF
[Unit]
Description=CoreDNS
After=network.target

[Service]
User=root
ExecStart=/usr/local/sbin/coredns -conf /etc/coredns/Corefile
StandardOutput=append:/var/log/coredns.log
StandardError=append:/var/log/coredns.log
RestartSec=5
Restart=always

[Install]
WantedBy=multi-user.target
EOF
sudo systemctl enable --now coredns

  5. Disable system DNS resolution to delegate it to the local DNS forwarder by running the following commands:

    sudo systemctl disable --now systemd-resolved
rm /etc/resolv.conf
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf

  1. Connect to the DNS forwarder VM from the test1 VM over SSH.

  2. Install the unbound package:

    sudo apt update && sudo apt install --yes unbound

  3. Configure and restart the DNS forwarder:

    unbound.conf for forwarder1
    sudo tee -a /etc/unbound/unbound.conf <<EOF
server:
  module-config: "iterator"
  interface: 0.0.0.0
  access-control: 127.0.0.0/8   allow
  access-control: 172.16.0.0/21 allow

forward-zone:
  name: "corp.example.net"
  forward-addr: 172.16.1.5
  forward-addr: 172.16.2.5

forward-zone:
  name: "."
  forward-addr: 172.16.3.2
EOF
    unbound.conf for forwarder2
    sudo tee -a /etc/unbound/unbound.conf <<EOF
server:
  module-config: "iterator"
  interface: 0.0.0.0
  access-control: 127.0.0.0/8   allow
  access-control: 172.16.0.0/21 allow

forward-zone:
  name: "corp.example.net"
  forward-addr: 172.16.1.5
  forward-addr: 172.16.2.5

forward-zone:
  name: "."
  forward-addr: 172.16.4.2
EOF

  4. Restart Unbound:

    sudo systemctl restart unbound

  5. Disable system DNS resolution to delegate it to the local DNS forwarder by running the following commands:

    sudo systemctl disable --now systemd-resolved
rm /etc/resolv.conf
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf

Set up Network Load Balancer

Create an internal network load balancer with the following settings:

Note

By default, the network load balancer does not process UDP traffic. To enable UDP traffic, contact our support. You can learn more here.

  • Type: Internal

  • Under Listeners:

    • Subnet: Select subnet3 from the list.
    • Protocol: UDP
    • Port: 53
    • Target port: 53

  • Under Target groups:

    • Create a group including forwarder1 and forwarder2.

    • Under Health check, specify the following settings:

      • Type: HTTP
      • Path: /health
      • Port: 8080
      • Type: TCP
      • Port: 53

Once you create a load balancer, it will automatically receive an IP address within the subnet3 range.

Note

The internal network load balancer will not respond to DNS requests from forwarders that make up its target group, i.e., forwarder1 and forwarder2. This is due to its implementation. For more information, see Network load balancer types.

Set up DHCP

To ensure that your cloud network hosts automatically use your corporate DNS service, specify the following DHCP settings for subnet3 and subnet4:

  1. Domain name servers: Network load balancer IP address.
  2. Domain name: corp.example.net (optional).

Update forwarder1, forwarder2, and test1 network settings by running the following command:

sudo netplan apply

Once the network settings are updated, the cloud network hosts will use the load balancer instead of the Yandex Cloud DNS server.

Set up your corporate DNS servers

Configure your corporate DNS servers to forward Yandex Cloud private zone DNS queries to the load balancer IP address.

Test the service

  1. From forwarder1, forwarder2, and test1 cloud hosts, check that corp.example.net private zone domain names are resolved:

    host ns1.corp.example.net
ns1.corp.example.net has address 172.16.1.5

  2. From forwarder1, forwarder2, and test1 cloud hosts, check that public domain names are resolved:

    host cisco.com
cisco.com has address 72.163.4.185
...

  3. Check that internal Yandex Cloud domain names are resolved on your corporate DNS servers, ns1 and ns2:

    host ns.internal
ns.internal has address 10.130.0.2

  4. To make sure the services run at boot, restart the forwarder1, forwarder2, and test1 VMs and repeat the checks.

How to delete the resources you created

To stop paying for the resources:

Previous
Configuring Cloud DNS to access a Managed Service for ClickHouse® cluster from other cloud networks
Next
Creating an ACME resolver webhook for responses to DNS01 checks