Architecture approaches for DNS on OCI: Linux vs Windows

Overview

The purpose of this document is to help with designing the best architecture for services that use DNS between customer Data Center and OCI based on each DNS Client behavior. We will cover differences between the Linux DNS Client and Windows DNS Client. 

It is recommended to have basic OCI Networking skills.

OCI DNS Resolver

The Domain Name System (DNS) lets computers use hostnames instead of IP addresses to communicate with each other. There are 2 options for resolving a DNS record inside a VCN:

• Internet Resolver: Lets instances resolve hostnames that are publicly published on the internet. The instances do not need to have internet access by way of either an internet gateway or a connection to your on-premises network (such as an IPSec VPN connection through a DRG). 
• VCN Resolver: Lets instances resolve hostnames (which you can assign) of other instances in the same VCN.

By default, when you create a VCN, you will have both options enabled (Internet Resolved and VCN Resolver). Internet Resolved is implicitly enabled and VCN Resolver can be disabled, by default is enabled.

If you chose not to use the DNS Resolution in a specific VCN, keep in mind that the all subnets inside that VCN will not have the option to use the OCI VCN Resolver.

Subnets inside the VCN, if VCN Resolver is enable, will have the option to use or not DNS Resolution.

Each VCN has it's on private DNS resolver that is managed by Private DNS. In OCI, Private DNS provides DNS resolution domains within your VCN. These domains include domains that reference internal infrastructure within your Oracle Cloud Infrastructure (OCI) tenancy, custom zones or private IP addresses elsewhere on your network. You can use any domain name that you want in private DNS, and it’s resolvable only through your DNS resolver.

For more information, please check these reference documents:

(A) IaaS blog: https://blogs.oracle.com/cloud-infrastructure/announcing-oracle-cloud-infrastructure-private-dns
(B) Reference Architectures (How-to):  https://docs.oracle.com/en/solutions/private-dns
(C) Free Hands on labs: https://oracle.github.io/learning-library/oci-library/oci-hol/oci-private-dns/workshops/freetier/
(D) FAQ: https://www.oracle.com/cloud/networking/dns-faq.html
(E) Public Documentation:
     (1) Private DNS Overview: https://docs.cloud.oracle.com/en-us/iaas/Content/DNS/Tasks/privatedns.htm
     (2)  Private DNS resolvers: https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Concepts/dns.htm#Private_resolver

DNS Client: Linux vs Windows

You can get a different or unexpected behavior when using different operating systems. In time, because the DNS Client from Windows is more dynamic, can impact a production environment because is receiving DNS responses from an unexpected DNS Server.

Linux

Linux by default uses the /etc/resolv.conf configuration file to configure the DNS Client. 

If the Linux DNS Client, when doing a DNS lookup, gets a negative answer from the first nameserver (DNS Server) it will not try to resolve using other nameserver. It will only use other nameservers in case that it cannot reach the desired server (time-out).

More configuration options can be found in the MAN page of resolv.conf or at this page:

http://man7.org/linux/man-pages/man5/resolv.conf.5.html

Windows

Windows by default, is more based on the DNS query response time. 

The Domain Name System (DNS) client waits for a response to each of the five attempts in the name resolution process. If the time specified for any attempt elapses before DNS receives a response, DNS repeats the query.

The value of this entry is an ordered list of five time limits (in seconds). The sixth value, which must be 0, indicates the end of the list. Each time limit is applied to the corresponding attempt in the name resolution process, in the following order:

Also, the DNS Client service keeps track of which servers answer name queries more quickly, and it moves servers up or down on the list based on how quickly they reply to name queries.

This information is provided from the Microsoft official documentation site:

https://docs.microsoft.com/en-us/previous-versions//cc977482(v=technet.10)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552(v=ws.10)?redirectedfrom=MSDN