Private DNS

This topic describes how to create and manage private Domain Name System (DNS) zones. Private DNS allows you to use your own private DNS domain names and fully manage the associated zones and records to provide hostname resolution for your applications running within and between virtual cloud networks (VCNs), as well as your on-premises or other private network. Private DNS also provides DNS resolution across networks (for example, another VCN within the same region, cross region, or external network). Private DNS can be managed in the Oracle Cloud Infrastructure (OCI) DNS API and Console.

Overview of Private DNS

  • Private DNS Zones: Private DNS zones contain DNS data only accessible from within a virtual cloud network (VCN), such as private IP addresses. A private DNS zone has similar capabilities to an internet DNS zone, but provides responses only for clients that can reach it through a VCN. Private DNS allows you to duplicate zones across multiple VCNs. A full or partial domain tree can be created. It also supports split-horizon DNS which allows you to use the same domain name for public and private zones. Different answers can be served for public queries versus private queries from within your VCN.

  • Private DNS Views: A private DNS view is a collection of private zones. You can reference private views from a resolver to manage how DNS queries are answered. A zone can only belong to a single view. The same zone name can be used in multiple views, but each zone will have a unique OCID (Oracle Cloud Identifier) to differentiate. You can use those views to create DNS resolvers configured to handle DNS queries from your VCNs. Any given view can be used by an arbitrary number of resolvers, allowing you to share private DNS data across VCNs.
  • Private DNS Resolver: A private DNS resolver provides responses to DNS queries. It provides responses by checking each customer-referenced view in order, then the default view, then each rule in order, and finally by using internet DNS. The first item in that sequence able to provide an answer does so, and later items are not checked. This is true even for a negative answer. For example, if a query name is covered by a zone in a private view and the name does not exist in the zone, the zone will return an authoritative NXDOMAIN  response. Rules allow you to define the logic for how queries should be answered. The resolver listens on 169.254.169.254 by default, but also allows you to define endpoints for listening for queries and forwarding them to other resolvers in other VCNs, a customer's on-premises network, or other private network. IPv6 is not supported for listening or forwarding endpoints. Multiple views can be resolved within a VCN. You can specify an ordered list of views within a resolver. For more information, see Private DNS resolvers.

Use Cases

Custom DNS Zones Within a VCN

Private DNS zones are grouped into "views". All VCN dedicated resolvers have a default view which is created automatically. To create a custom DNS zone that resolves from within a VCN, either create the private zone in the dedicated resolver's default view, or create the zone in a new view and add it to the dedicated resolver's list of attached views. See Help Center/Configure private DNS zones views and resolvers for a detailed guide on how to set this up.

Split Horizon

Create private zones with the same names as public names on the Internet. Then, add the zones to one of the VCN dedicated resolver's views. Within the VCN, the names resolve based on the private DNS configuration. The same names serve different answers depending on where the request originates.

Shared Private DNS Zones Within a Region

VCNs within the same region can resolve requests from each other's private views. For example, let's say you want to implement this solution with VCN A and VCN B. Add VCN A's dedicated resolver's default view to VCN B's dedicated resolver's attached views. Then, add VCN B's dedicated resolver's default view to VCN A's dedicated resolver's attached views.

The same private zone or collection of private zones can be reused across multiple VCNs. This solution can reduce DNS configuration duplication. Create a view and add one or more private zones to the view. For each VCN, add the new view to the VCN's dedicated resolver's list of attached views. See Help Center/Configure private DNS zones views and resolvers for a detailed guide on how to set this up.

DNS Resolution Between VCNs

Send requests between VCNs using resolver endpoints. The VCNs can exist in different regions. This solution requires either a local or remote peering gateway (LPG/RPG). To send traffic from VCN A to VCN B, add a listening endpoint to VCN B's dedicated resolver. Then, add a forwarding endpoint to VCN A's dedicated resolver. Create a rule on VCN A's dedicated resolver that forwards traffic through VCN A's forwarding endpoint to the address of VCN B's listening endpoint. To send traffic in both directions between the VCNs, add a forwarding and listening resolver endpoint to each dedicated resolver and add a rule on each dedicated resolver. See A-Team Chronicles/Private DNS Implementation for a detailed guide on how to set this up.

Connectivity Between a VCN And On-Premises Name Servers

Requests can be sent between a VCN and on-premises name servers in either direction. This solution requires connectivity between the VCN and the on-premises network using either FastConnect or an IPSec tunnel (IPSec VPN). To send traffic to a VCN, add a listening endpoint to its dedicated resolver and send traffic to its address. To send traffic from a VCN, add a forwarding endpoint to its dedicated resolver and a rule that forwards traffic through the endpoint to the address of the on-premise name server. See A-Team Chronicles/Private DNS Implementation for a detailed guide on how to set this up.

Advanced Use Cases

VCNs can be set up for more than one use case. A single VCN could be both peered with another VCN, and configured to connect to an on-premises name server. Forwarding can also be chained across multiple VCNs.

Supported Resource Records

The Oracle Cloud Infrastructure DNS service supports many resource record types. The following list provides a brief explanation of the purpose of each supported record type for private DNS. For public DNS, see Public DNS Supported Resource Records. Avoid entering confidential information when entering record data. The RFC links direct you to further information about the record types and data structure.

Note About RDATA

Oracle Cloud Infrastructure normalizes all RDATA into the most machine readable format. The returned presentation of your RDATA may differ from its initial input.

Example:

The RDATA for the CNAME, DNAME, and MX record types may contain one or more absolute domain names. If the specified RDATA for one of these record types does not end in a dot or period to represent the root, the period will be added.

www.example.com --> www.example.com.

You can use various DNS libraries to normalize your RDATA before input.

Programming Language Library
Go DNS Library in Go
Java dnsjava
Python dnspython

Private DNS Resource Record Types

A
An address record used to point a hostname to an IPv4 address. For more information about A records, see RFC 1035.
AAAA
An address record used point a hostname at an IPv6 address. For more information about AAAA records, see RFC 3596.
CAA
A Certification Authority Authorization record allows a domain name holder to specify one or more Certification Authorities authorized to issue certificates for that domain. For more information about CAA records, see RFC 6844.
CNAME
A Canonical Name record identifies the canonical name for a domain. For more information about CNAME records, see RFC 1035.
DNAME
A Delegation Name record has similar behavior to a CNAME record, but allows you to map an entire subtree beneath a label to another domain. For more information about DNAME records, see RFC 6672.
MX
A Mail Exchanger record defines the mail server accepting mail for a domain. MX records must point to a hostname. MX records must not point to a CNAME or IP address. For more information about MX records, see RFC 1035.
PTR
A Pointer record reverse maps an IP address to a hostname. This behavior is the opposite of an A Record, which forward maps a hostname to an IP address. PTR records are commonly found in reverse DNS zones. For more information about PTR records, see RFC 1035.
SRV
A Service Locator record allows administrators to use several servers for a single domain. For more information about SRV records, see RFC 2782.
TXT
A Text record holds descriptive, human readable text, and can also include non-human readable content for specific uses. It is commonly used for SPF records and DKIM records that require non-human readable text items. For more information about TXT records, see RFC 1035.

Required IAM Policies

To work with private DNS, a user needs sufficient authority (by way of an IAM policy). If your user is in the Administrators group, you have the required authority. If your user is not in the Administrators group, then a policy like this will allow a specific group to manage private DNS:

Allow group <GroupName> to manage dns in tenancy where target.dns.scope = 'private'

If you're new to policies, see Getting Started with Policies and Common Policies. For more details about policies for private DNS, see Details for the DNS Service.

Using the Console

To create a private zone with a private view
Note

  • Private zones can only be viewed in the region in which they are created.
  • Creating a private zone at or under "oraclevcn.com" within the default protected view of a VCN-dedicated resolver is not permitted.
  1. Open the navigation menu and click Networking. Under DNS Management, click Overview.
  2. Click Zones.
  3. Click the Private Zones tab.
  4. Click Create Zone.
  5. In the Create Private Zone dialog box, enter the following information:
    • Zone Name: Enter the name of the zone you want to create. Avoid entering confidential information. A domain name identifies a particular space within a zone for the purposes of naming systems and/or associating DNS records.
    • Create in Compartment: Select the compartment where you want to create the zone.
    • Zone Type: This field is read-only. The zone contents will be controlled directly within Oracle Cloud Infrastructure.
    • DNS Private View: A private zone must be created within a private view, which cannot be changed. When a private zone is attached to a private view, the private zone cannot be moved to a new private view.
      • Select Existing Private DNS View: To select an existing private view in the current compartment, select a private view from the drop-down menu. You can click Change Compartment to change the compartment where the private view exists.
      • Create New Private DNS View: Enter a name for the private view. Avoid entering confidential information. This resource is created in the compartment selected previously.
    • Show Advanced Options: Optionally, you can apply tags. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
  6. Click Create.

    The system creates and publishes the zone, complete with the necessary SOA and NS records. The details for the zone appear. You can view the private view associated with this zone by clicking the Private View name in the Zone Information section. For information on adding a record to your zone, see To add a zone record.

To create a private view
Note

Private views can only be viewed in the region in which they are created.
  1. Open the navigation menu and click Networking. Under DNS Management, click Private Views.
  2. Click Create Private View.
  3. In the Create Private View dialog box, enter the following:
    • Name: Enter the name of the private view you want to create. Avoid entering confidential information.
    • Create in Compartment: Select the compartment where you want to create the private view.
    • Show Advanced Options: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
  4. Click Create.
To create a private view with a new private zone
  1. Open the navigation menu and click Networking. Under DNS Management, click Private Views.
  2. Click Create Private View.
  3. In the Create Private Zone dialog box, enter the following information:
    • Name: Enter the name of the private view you want to create. Avoid entering confidential information.
    • Create in Compartment: Select the compartment where you want to create the private view.
    • Show Advanced Options: Optionally, you can apply tags. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
  4. Click Create.

    The details for the private view appear.

  5. Click Create Zone.
  6. In the Create Private Zone dialog box, enter the following:
    • Zone Name: Enter the name of the zone you want to create. Avoid entering confidential information. A domain name identifies a particular space within a zone for the purposes of naming systems and/or associating DNS records.
    • Create in Compartment: Select the compartment where you want to create the zone.
    • Zone Type: This field is read-only. The zone contents will be controlled directly within Oracle Cloud Infrastructure.
    • Show Advanced Options: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
  7. Click Create.

    The new zone appears in the zone list associated with the private view you created.

To add a zone record
Tip

There are many record types you can add to your zone, depending on your goals for the zone and its DNS management.
  1. Open the navigation menu and click Networking. Under DNS Management, click Overview.
  2. Click Zones.
  3. Click the Zone Name in which you want to add a record. If you are adding a record to a private zone, click the Private Zones tab and then click the zone name. Zone details appear.

    Tip

    To locate zones in the Private Zones tab, you can use filters to sort by zones that are protected (system generated) or by associated private view names.
  4. In Resources, click Records. A list of records appear.
  5. Click Add Record.
  6. In the Add Record dialog box, select a record type from the drop-down list, and then enter the information for the record. Avoid entering confidential information. For more information about record types, see Supported Resource Records.
  7. (Optional) Click the Add Another Record check box to add multiple records in succession.
  8. Click Submit.
    Note

    When records are added, they are staged to allow for multiple records to be combined into a set. Before records take effect, they must be published.
  9. Once your records have been added, click Publish Changes.
  10. In the confirmation dialog box, click Publish Changes.
To update a zone record
Note

Protected Records

You can change various components of the records within your zones, such as time-to-live (TTL) and relevant RDATA. However, some records contain information that cannot be changed. You can attempt changes to such records through the Actions menu, but the system might not permit updates to some fields.

  1. Open the navigation menu and click Networking. Under DNS Management, click Overview.
  2. Click Zones.
  3. Click the Zone Name in which you want to update a record. If you are updating a record in a private zone, click the Private Zones tab and then click the zone name. Zone details appear.

    Tip

    To locate zones in the Private Zones tab, you can use filters to sort by zones that are protected (system generated) or by associated private view names.
  4. Click Records. A list of records appear.

    To help find a record, you can use the following filter options:

    • Enter the name of the record's domain in the Search field.
    • To find unpublished records, select the Staged check box.
    • To find published records, select the Unstaged check box.
    • Use the Is Protected sort filter to sort by records that are protected.
    • Use the Record Type sort filter to sort records.
  5. Select the check box for the record you want to update, and select Edit from the Actions drop-down menu.
  6. In the Edit Record dialog box, make the needed changes, and then click Submit.
    Note

    When records are added, they are staged to allow for multiple records to be combined into a set. Before records take effect, they must be published.
  7. Click Publish Changes.
  8. In the confirmation dialog box, click Publish Changes.

Reverting Changes Before Publishing

You can revert records to their current published state before you publish changes. Once a record has been published, it cannot be reverted. Select the check box for the record you want to revert, and then select Revert from the Actions drop-down menu.

To delete a zone record
  1. Open the navigation menu and click Networking. Under DNS Management, click Overview.
  2. Click Zones.
  3. Click the Zone Name in which you want to delete a record. If you are deleting a record in a private zone, click the Private Zones tab and then click the zone name. Zone details appear.

    Tip

    To locate zones in the Private Zones tab, you can use filters to sort by zones that are protected (system generated) or by associated private view names.
  4. Click Records. A list of zone records appear.
  5. Select the check box for the record you want to delete, and then select Delete from the Actions drop-down menu.
  6. Click Publish Changes.
  7. In the confirmation dialog box, click Publish Changes.
To edit a private view
  1. Open the navigation menu and click Networking. Under DNS Management, click Private Views.
  2. Click the name of the private view you want to update.
    Tip

    You can use the Protected filter to sort private views by views that are protected (system generated).
  3. Click Edit.
  4. In the Edit Private DNS View dialog box, make the needed changes and then click Save Changes.
To edit a private zone
Note

Private zones are only viewable in the region they are created.
  1. Open the navigation menu and click Networking. Under DNS Management, click Overview.
  2. Click Zones.
  3. Click the Private Zones tab.
  4. Click the name of the zone you want to update.
    Tip

    You can use filters to sort private zones by zones that are protected (system generated) or by associated private view names.
  5. Click Edit.
  6. In the Edit Zone dialog box, make the needed changes and then click Save Changes.
To delete a private zone
  1. Open the navigation menu and click Networking. Under DNS Management, click Overview.
  2. Click Zones.
  3. Click the Private Zones tab.
  4. Click the Actions icon (three dots) for the zone you want to delete, and then click Delete.
  5. In the Delete Private Zone dialog box, click Delete.
    Caution

    Deletion removes associated resources.
To delete a private view
  1. Open the navigation menu and click Networking. Under DNS Management, click Private Views.
  2. Click the name of the private view that you want to delete.
  3. Click Delete.
  4. In the Delete DNS Private View dialog box, click Delete.
    Caution

    Deletion removes any associated private zones.
To delete a private zone from a private view
  1. Open the navigation menu and click Networking. Under DNS Management, click Private Views.
  2. Click the private view that contains the zone you want to delete.
  3. Click the the Actions menu for the zone you want to delete, and then click Delete.
  4. In the Delete Private Zone dialog box, click Delete.
To move a private zone to another compartment
  1. Open the navigation menu and click Networking. Under DNS Management, click Overview.
  2. Click Zones.
  3. Click the Private Zones tab.
  4. Click the name of the zone you want to move.
  5. Find the zone in the list, click the the Actions menu, and then click Move Resource.
  6. Choose the destination compartment from the list.
  7. Click Move Resource.
To move a private view to another compartment
  1. Open the navigation menu and click Networking. Under DNS Management, click Private Views.
  2. Click the name of the view you want to move.
  3. Click Move Resource.
  4. Choose the destination compartment from the list.
  5. Click Move Resource.

Using the API