X

Best Practices from Oracle Development's A‑Team

Architecture approaches for DNS on OCI: Linux vs Windows

Ionut Neubauer
Principal Solutions Architect

Overview

The purpose of this document is to help with designing the best architecture for services that use DNS between customer Data Center and OCI based on each DNS Client behavior. We will cover differences between the Linux DNS Client and Windows DNS Client. 

Is recommended to have basic OCI Networking skills.

 

OCI DNS Resolver

The Domain Name System (DNS) lets computers use hostnames instead of IP addresses to communicate with each other. There are 2 options for resolving a DNS record inside a VCN:

  • Internet Resolver: Lets instances resolve hostnames that are publicly published on the internet. The instances do not need to have internet access by way of either an or a connection to your on-premises network (such as an IPSec VPN connection through a 
  • VCN Resolver: Lets instances resolve hostnames (which you can assign) of other instances in the same VCN.

By default, when you create a VCN, you will have both options enabled (Internet Resolved and VCN Resolver). Internet Resolved is implicitly enabled and VCN Resolver can be disabled, by default is enabled.

If you chose not to use the DNS Resolution in a specific VCN, keep in mind that the all subnets inside that VCN will not have the option to use the OCI VCN Resolver.

Subnets inside the VCN, if VCN Resolver is enable, will have the option to use or not DNS Resolution.

The subnets will use to resolve DNS records an internal IP address (169.254.169.254) that is not accessible outside the VCN.

Keep in mind that if you have enabled DNS Resolution for the VCN and as an example you have two subnets, one with DNS Resolution enabled and the other one with the option disabled, the subnet that doesn’t have DNS Resolution enabled will not be able to do local (inside the VCN using the VCN Resolver) DNS queries.

The VCN uses oraclevcn.com as the default domain name. This domain is read-only and cannot be changed. Using a DNS label in the VCN and subnet bill prefix to oraclevcn.com (ex. subnet1.vcn1.oraclevcn.com). The VM / BM instance with a DNS label will prefix to oraclevcn.com (ex. vm1.subnet1.vcn1.oraclevcn.com).

 

More details can be found in the official OCI public documentation https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/dns.htm.

 

If there is a need to reach the OCI VCN Resolver from the customer Data Center, a custom DNS solution inside OCI needs to be used. This involves at least one Linux server (two recommended for HA) running BIND or DNSMasq that can do conditional forwarding. As an example, everything destined to oraclevcn.com will be forwarded to 169.254.169.254 and everything else to another desired nameserver (DNS Server). Using this approach, customer can send DNS queries form a Specific Data Center to the private or public IP address assigned on the newly started VM / BM server. This is necessary because the VCN Resolver (169.254.169.254) is not accessible outside the VCN.

 

Mode details or examples can be found in this blog https://www.ateam-oracle.com/hybrid-dns-in-oci.

 

DNS Client: Linux vs Windows

You can get a different or unexpected behavior when using different operating systems. In time, because the DNS Client from Windows is more dynamic, can impact a production environment because is receiving DNS responses from an unexpected DNS Server.

 

Linux

Linux by default uses the /etc/resolve.conf configuration file to configure the DNS Client. 

If the Linux DNS Client, when doing a DNS lookup, gets a negative answer from the first nameserver (DNS Server) it will not try to resolve using other nameserver. It will only use other nameservers in case that it cannot reach the desired server (time-out).

 

More configuration options can be found in the MAN page of resolv.conf or at this page:

http://man7.org/linux/man-pages/man5/resolv.conf.5.html

 

Windows

Windows by default, is more based on the DNS query response time. 

The Domain Name System (DNS) client waits for a response to each of the five attempts in the name resolution process. If the time specified for any attempt elapses before DNS receives a response, DNS repeats the query.

The value of this entry is an ordered list of five time limits (in seconds). The sixth value, which must be 0, indicates the end of the list. Each time limit is applied to the corresponding attempt in the name resolution process, in the following order:

 

Value

Default value

Attempt

1st limit

1 second

Query the preferred DNS server on a preferred connection.

2nd limit

2 seconds

Query the preferred DNS server on all connections.

3rd limit

2 seconds

Query all DNS servers on all connections (1st attempt).

4th limit

4 seconds

Query all DNS servers on all connections (2nd attempt).

5th limit

8 seconds

Query all DNS servers on all connections (3rd attempt).

6th value

(Must be 0.)

 

 

Also, the DNS Client service keeps track of which servers answer name queries more quickly, and it moves servers up or down on the list based on how quickly they reply to name queries.

 

This information is provided from the Microsoft official documentation site:

https://docs.microsoft.com/en-us/previous-versions//cc977482(v=technet.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552(v=ws.10)?redirectedfrom=MSDN

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha