I have a scenario where I am using GCP cloud DNS where I am able to resolve my on-prem servers using FQDN in from a server in GCP with peered VPC network , but when I try to resolve them via IP address(basically reverse DNS lookup) it doesn't works.
here are my configuration for forwarding zone and reverse look up
DNS name 10.in-addr.arpa. Type Forwarding Destination DNS server location Server location Forwarding target type 10.X.X.X.X Default 10.X.X.X.X Default 10.X.X.X.X Default
here are the config for DNS forwarding zone
DNS name xyz.com. Type Forwarding Destination DNS server location Server location Forwarding target type 10.X.X.X.X Default 10.X.X.X.X Default 10.X.X.X.X Default
I also have DNS peering zones for the VPC's peered
What am I missing to make this reverse DNS lookup work, I want to avoid any entries in resolv.conf file
Is it not possible in GCP ?
Related
I was trying to find the IP Address of DNS server hosted in private zone in GCP to resolve some traffic routing related issue on the firewall. But i am not able to find it in Cloud DNS GUI console.
Cloud DNS Private zones require that you use the metadata server for name resolution. Compute Engine instances receive internal DNS resolution information as part of their DHCP leases. By default, the instance's metadata server (169.254.169.254) resolves internal DNS names. If you change the name server configuration for your instance, you cannot resolve records in Compute Engine internal DNS (the .internal zone) or in Cloud DNS managed private zones, forwarding zones, and peering zones unless your replacement DNS server forwards these queries to 169.254.169.254.
I am new to Amazon Web Service (AWS)
I just created a VPC and and a subnet, which is inside it.
However, I could not resolve any hostnames in this subnet (when I stay in any hosts in this subnet)
[ec2-user#ip-192-168-1-86 ~]$ nslookup
> ip-192-168-1-86.ec2.internal
Server: 192.168.1.2
Address: 192.168.1.2#53
** server can't find ip-192-168-1-86.ec2.internal: NXDOMAIN
I have double check that DNS resolution is enabled for my VPC
and private DNS hostname is correct
enter image description here
From the AWS DNS documentation
When you launch an instance into a VPC, it always receives a private
DNS hostname.
The DNS resolution depends on the enableDnsHostnames and enableDnsSupport flags.
By default, both attributes are set to true in a default VPC or a VPC
created by the VPC wizard. By default, only the enableDnsSupport
attribute is set to true in a VPC created any other way.
Depending upon the enableDnsHostnames and enableDnsSupport flags following rules apply:
If both attributes are set to true, the following occurs:
Instances with a public IP address receive corresponding public DNS hostnames.
The Amazon Route 53 Resolver server can resolve Amazon-provided private DNS hostnames.
If either or both of the attributes is set to false, the following occurs:
Instances with a public IP address do not receive corresponding public DNS hostnames.
The Amazon Route 53 Resolver cannot resolve Amazon-provided private DNS hostnames.
Instances receive custom private DNS hostnames if there is a custom domain name in the DHCP options set. If you are not using the Amazon Route 53 Resolver server, your custom domain name servers must resolve the hostname as appropriate.
If enableDnsHostnames and enableDnsSupport are true then check if the DHCP option set is modified.
Go to the VPC service page in the AWS Console. Select Your VPCs to see all the VPCs.
Select the VPC, and select Actions, Edit DHCP options set.
In the DHCP options set list, select the default DHCP option list, and then choose Save.
On the VPC service page, you can find the DHCP Options Sets where you can get the Default DHCP Options Sets.
It would take a couple of hours for the running EC2 instances to reflect this without a restart. You can also renew the IP lease by the following command.
Windows: ipconfig /renew
Linux: sudo dhclient -r
Or restart the instance, if you can't wait.
Check private dns hostnames supported by each region on documentation below.
A private (internal) DNS hostname resolves to the private IPv4 address of the instance. The private DNS hostname takes the form ip-private-ipv4-address.ec2.internal for the us-east-1 Region, and ip-private-ipv4-address.region.compute.internal for other Regions (where private-ipv4-address is the reverse lookup IP address). You can use the private DNS hostname for communication between instances in the same network, but we can't resolve the DNS hostname outside the network that the instance is in.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html
I have a GCP VPC and it is connected to on-prem using Public Cloud Interconnect.
Traffic flow between onprem and the VPC is ok. All routes and firewalls are configured correctly.
Now I would like to have the company DNS servers available for VMs in my VPC.
My 3 DNS servers are
10.17.121.30 dns-01.net.company.corp
10.17.122.10 dns-02.net.company.corp
10.17.122.170 dns-03.net.company.corp
Now I have done the below config in Cloud DNS in GCP.
The DNS name is company.corp
The "In use by" is referring my VPC.
The IPs 10.17.121.30, 10.17.122.10 and 10.17.122.170 are on-prem and are accessible from the VPC over port 53.
But after having done all the above, if I try to connect to any on-prem machine using its name, I get
telnet: could not resolve example-server.corp.sap/443: No address associated with hostname
The above request is being made from a VM inside the VPC.
Which leads me to believe that my DNS servers might not be correctly configured. What have I missed here ?
If you are intending to have your VMs able to resolve hostnames within your on-premises network, then you will need to make use of DNS forwarding. You would need to configure your private zone as a forwarding zone. Once this is done you can use your forwarding zone to query on-premises servers.
i have setup my infra on GCP and created a VPC and firewall rules to allow outgoing 53 from inside my network to the outside.
i also setup a private dns zone in google cloud and added a dns forwarder ip (e.g. 192.168.1.1) to it. i also added the network that my vm is in to the dns zone allowed list .
now when i launch my VM and try to dig to test.mydomain.com it does not work, but when i put the ip mentioned above that i used as the dns forwarder in the /etc/resolve.conf the dig works ..
what am i missing here ?
By default, the resolution of internal DNS names is handled by the Instance metadata server (169.254.169.254)
If you change the name server configuration for your Instance, you might not be able to use internal DNS names. Any replacement of the name server software must support the Local Subnet Routes feature of RFC 3442.
Is it possible for a single domain name to be associated with multiple AWS ELB on different domains?
Eg. I want example.com to point to my first ELB, and api.example.com to point to my second ELB (which is from a different AWS account).
I tried creating an A record for example.com with the first ELB as alias target, and another A record for api.example.com with the second ELB as alias target, but only example.com is working.
For both of the ELB, I use the same domain name for the AWS cert manager to register for SSL cert, not sure if that affects anything.
The problem was that I forgot to allow all incoming traffic on the security group of the ELB...
Yes, you can use multiple load balancers for the same domain or different domains. For the AWS managed SSL certificate, you will need all domain names in the same certificate or you can use a different SSL certificate for each domain name. I would just create one certificate with "example.com" and "*.example.com".
Your issue is that you are using an SSL certificate for api.example.com that has the name example.com. The SSL certificate must include the name that matches the domain name.
If you do not have an SSL certificate installed on the EC2 instance, then setup SSL termination at the load balancer. This means creating a listener for port 443 that forwards to port 80.
To configure Route53 with an ELB in a different account:
For ELB load balancers, do one of the following:
If you used the same account to create your Amazon Route 53 hosted zone and your load balancer – Choose Alias Target and choose a load
balancer from the list. If you have a lot of load balancers, you can
type the first few characters of the DNS name to filter the list.
If you used different accounts to create your Amazon Route 53 hosted zone and your load balancer – Enter the value that you got
in the procedure Getting the DNS Name for an ELB Load Balancer.
If you used one AWS account to create the current hosted zone and a different account to create a load balancer, the load balancer will
not appear in the Alias Targets list.
If you used one account to create the current hosted zone and one or more different accounts to create all of your load balancers,
the Alias Targets list shows No Targets Available under Elastic
Load Balancers.
In either case, the console prepends dualstack. to the DNS name. When
a client, such as a web browser, requests the IP address for your
domain name (example.com) or subdomain name (www.example.com), the
client can request an IPv4 address (an A record), an IPv6 address (a
AAAA record), or both IPv4 and IPv6 addresses (in separate requests).
The dualstack. designation allows Amazon Route 53 to respond with the
appropriate IP address for your load balancer based on which IP
address format the client requested.
Values for Alias Resource Record Sets