Prerequisites: Use Case – OCI VCN Custom DNS

In order to have as many tools as possible to troubleshoot, monitor and analyze the OCI private DNS activity, a missing part was added to the OCI DNS suite, the OCI Private DNS Logging, part of the OCI Logging service. A well desired feature asked by many customer is now present and ready to use. 

To highlight the functionality of private DNS logging feature, we will use custom VCN DNS and not the *.oraclevcn.com default DNS configuration. The prerequisite blog listed above is important since will explain the how the Private DNS and Private Views can be used together for a custom DNS implementation.

The DNS logging feature will be analyzed on the below networking topology:

network topo

Our goals are:

a) to have DNS resolution for vm-2.region-sj.oci.com in San Jose OCI region from vm-1.region-iad.oci.com im OCI Ashburn region and vice-versa

b) to analyze the DNS logs for detailed private DNS query/response activity

Note: A private DNS log entry isn’t written for responses answered from cache. However, when the TTL expires for a cached entry, the next lookup for that name results in a DNS Log entry. This is done for performance reasons to avoid excessive logging when names have already been resolved by DNS: Cache DNS

For our DNS configuration to be complete, we will define the DNS Listener and Forwarder in each region together with the rules and private views containing the custom name and IP addresses.

OCI Ashburn:

a) The endpoints

endpoints IAD

b) The DNS rule:

IAD rule

OCI San Jose:

a) The endpoints:

endpoints SJ

b) The DNS rule:

rule SJ

The configuration is ready and before starting the testing, let’s activate the DNS logs on both regions:

logs

To verify the DNS Response logs we need to initiate DNS requests from every region and let the logs to populate. 

Let’s verify the DNS query response log using the filter for vm-2.region-sj.oci.com (data.qname=’vm-2.region-sj.oci.com.’) in San Jose region first:

sj response

In the DNS Response log we have the information regarding the qname requested, the source (Forwarder_IAD) and destination IP addresses (Listener_SJ) together with the  DNS answer for vm-2.region-sj.oci.com.

Let’s verify the DNS log in Ashburn region:

iad resp

Both log entries are showing that the name resolution is completed successfully between the two regions and the log entry contains the most important information for performing a deep troubleshooting and monitoring the OCI Private DNS.