Integrating Cloud DNS and a corporate DNS service

Written by

Updated at March 14, 2025

Integration solution example
Getting started
- Required paid resources
Set up cloud DNS
Set up your corporate DNS servers
Test the service
How to delete the resources you created

If you have your own corporate networks connected to your Yandex Cloud internal networks via Yandex Cloud Interconnect, you can integrate your corporate DNS with Cloud DNS. This will allow you to access resources and services by name both in corporate and cloud networks.

You cannot delegate Yandex Cloud private zone DNS record management to your corporate DNS servers, because private zone NS records are ignored. To ensure that domain names of private zone services and resources are recognized, configure separate DNS forwarders in your cloud subnets. DNS forwarder is a DNS server forwarding requests that cannot be resolved locally to an external DNS server. We recommend CoreDNS or Unbound.

Warning

Some DNS forwarders use their own settings to determine which DNS requests to resolve. In this case, you should specify only existing Cloud DNS zones in their settings. For example, you need to configure redirects for records residing in a shared . zone.

To set up DNS resolution for your corporate services and Yandex Cloud resources:

If you no longer need the resources you created, delete them.

Integration solution example

The corporate network consists of two subnets: 172.16.1.0/24 and 172.16.2.0/24.
Each subnet hosts a DNS server:
- 172.16.1.5: ns1.corp.example.net
- 172.16.2.5: ns2.corp.example.net
These servers manage the corp.example.net DNS zone.
The Yandex Cloud network also consists of two subnets:
- 172.16.3.0/24: subnet3 in the ru-central1-d availability zone.
- 172.16.4.0/24: subnet4 in the ru-central1-b availability zone.
These subnets host 172.16.3.2 and 172.16.4.2 Yandex Cloud DNS servers.

These servers manage private DNS zones in your cloud network.
All corporate network subnets are accessible from the cloud network subnets, and vice versa.

Next, in your cloud network, you need to set up two DNS forwarders:

172.16.3.5: forwarder1.internal
172.16.4.5: forwarder2.internal

They will redirect DNS requests as follows:

corp.example.net zone requests will go to the 172.16.1.5 and 172.16.2.5 corporate DNS servers.
The rest, i.e., . zone requests, will go to the 172.16.3.2 and 172.16.4.2 Yandex Cloud internal DNS servers.

To ensure fault tolerance, DNS forwarders will be placed behind an internal Yandex Network Load Balancer routing DNS requests from both your cloud and your corporate network.

Getting started

To install DNS forwarders in subnet3 and subnet4, create a VM running an Ubuntu 20.04 public image with the following settings:
- Name:
  - forwarder1: For the VM in subnet3.
  - forwarder2: For the VM in subnet4.
- Under Network settings:
  - Public IP address: No address
  - Internal IPv4 address: Select Manual and specify:
    - 172.16.3.5 for forwarder1.
    - 172.16.4.5 for forwarder2.
To test the subnet4-hosted service from the internet, create another Ubuntu 20.04 VM with the following settings:
- Name: test1
- Under Network settings:
  - Public IP address: Auto
  - Internal IPv4 address: Auto
Set up a NAT gateway providing internet access to subnet3 and subnet4, so you can download required software on the VMs residing there.

Required paid resources

The infrastructure support costs include:

Fee for a continuously running VM (see Yandex Compute Cloud pricing).
Fee for a dynamic or static public IP address (see Yandex Virtual Private Cloud pricing).
Fee for using a network load balancer (see Yandex Network Load Balancer pricing).

Set up cloud DNS

Set up DNS forwarders

CoreDNS

Unbound

Connect to the DNS forwarder VM from the test1 VM over SSH.

Download the latest CoreDNS version from GitHub and install it:

cd /var/tmp && wget <package_URL> -O - | tar -zxvf
sudo mv coredns /usr/local/sbin

Create a CoreDNS configuration file:

forwarder1:

sudo mkdir /etc/coredns
sudo tee >> /etc/coredns/Corefile <<EOF
corp.example.net {
  forward . 172.16.1.5 172.16.2.5
}
. {
  forward . 172.16.3.2
  health
}
EOF

forwarder2:

sudo mkdir /etc/coredns
sudo tee >> /etc/coredns/Corefile <<EOF
corp.example.net {
  forward . 172.16.1.5 172.16.2.5
}
. {
  forward . 172.16.4.2
  health
}
EOF

Enable running CoreDNS at boot:

sudo tee >> /etc/systemd/system/coredns.service <<EOF
[Unit]
Description=CoreDNS
After=network.target

[Service]
User=root
ExecStart=/usr/local/sbin/coredns -conf /etc/coredns/Corefile
StandardOutput=append:/var/log/coredns.log
StandardError=append:/var/log/coredns.log
RestartSec=5
Restart=always

[Install]
WantedBy=multi-user.target
EOF
sudo systemctl enable --now coredns

Disable system DNS resolution to delegate it to the local DNS forwarder by running the following commands:

sudo systemctl disable --now systemd-resolved
rm /etc/resolv.conf
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf

Connect to the DNS forwarder VM from the test1 VM over SSH.

Install the unbound package:

sudo apt update && sudo apt install --yes unbound

Configure and restart the DNS forwarder:

unbound.conf for forwarder1

sudo tee -a /etc/unbound/unbound.conf <<EOF
server:
  module-config: "iterator"
  interface: 0.0.0.0
  access-control: 127.0.0.0/8   allow
  access-control: 172.16.0.0/21 allow

forward-zone:
  name: "corp.example.net"
  forward-addr: 172.16.1.5
  forward-addr: 172.16.2.5

forward-zone:
  name: "."
  forward-addr: 172.16.3.2
EOF

unbound.conf for forwarder2

sudo tee -a /etc/unbound/unbound.conf <<EOF
server:
  module-config: "iterator"
  interface: 0.0.0.0
  access-control: 127.0.0.0/8   allow
  access-control: 172.16.0.0/21 allow

forward-zone:
  name: "corp.example.net"
  forward-addr: 172.16.1.5
  forward-addr: 172.16.2.5

forward-zone:
  name: "."
  forward-addr: 172.16.4.2
EOF

Restart Unbound:
```
sudo systemctl restart unbound
```

Disable system DNS resolution to delegate it to the local DNS forwarder by running the following commands:

sudo systemctl disable --now systemd-resolved
rm /etc/resolv.conf
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf

Set up Network Load Balancer

Create an internal network load balancer with the following settings:

Note

By default, the network load balancer does not process UDP traffic. To enable UDP traffic, contact our support. You can learn more here.

Type: Internal
Under Listeners:
- Subnet: Select subnet3 from the list.
- Protocol: UDP
- Port: 53
- Target port: 53
Under Target groups:
- Create a group including forwarder1 and forwarder2.
- Under Health check, specify the following settings:
  CoreDNS
  
  Unbound
  - Type: HTTP
  - Path: /health
  - Port: 8080
  - Type: TCP
  - Port: 53

Once you create a load balancer, it will automatically receive an IP address within the subnet3 range.

Note

The internal network load balancer will not respond to DNS requests from forwarders that make up its target group, i.e., forwarder1 and forwarder2. This is due to its implementation. For more information, see Network load balancer types.

Set up DHCP

To ensure that your cloud network hosts automatically use your corporate DNS service, specify the following DHCP settings for subnet3 and subnet4:

Domain name servers: Network load balancer IP address.
Domain name: corp.example.net (optional).

Update forwarder1, forwarder2, and test1 network settings by running the following command:

sudo netplan apply

Once the network settings are updated, the cloud network hosts will use the load balancer instead of the Yandex Cloud DNS server.

Set up your corporate DNS servers

Configure your corporate DNS servers to forward Yandex Cloud private zone DNS queries to the load balancer IP address.

Test the service

From forwarder1, forwarder2, and test1 cloud hosts, check that corp.example.net private zone domain names are resolved:
```
host ns1.corp.example.net
ns1.corp.example.net has address 172.16.1.5
```
From forwarder1, forwarder2, and test1 cloud hosts, check that public domain names are resolved:
```
host cisco.com
cisco.com has address 72.163.4.185
...
```
Check that internal Yandex Cloud domain names are resolved on your corporate DNS servers, ns1 and ns2:
```
host ns.internal
ns.internal has address 10.130.0.2
```
To make sure the services run at boot, restart the forwarder1, forwarder2, and test1 VMs and repeat the checks.

How to delete the resources you created

To stop paying for the resources:

Delete the VM.
If you reserved static public IP addresses for this tutorial, delete them.
Delete the target groups.
Delete the listeners.
Delete the network load balancer.
Delete the subnets.
Delete the route table.
Delete the NAT gateway.
Delete the networks.

Integrating Cloud DNS and a corporate DNS service

Integration solution exampleIntegration solution example

Getting startedGetting started

Required paid resourcesRequired paid resources

Set up cloud DNSSet up cloud DNS

Set up DNS forwardersSet up DNS forwarders

Set up Network Load BalancerSet up Network Load Balancer

Set up DHCPSet up DHCP

Set up your corporate DNS serversSet up your corporate DNS servers

Test the serviceTest the service

How to delete the resources you createdHow to delete the resources you created

Was the article helpful?