Does GCP support an internal DNS service? I don't need my zone to be public but I want my gce instances to use it for resolving internal services.
I am not very clear on your requirements, but if you just want two vm instances in a project VPC to communicate with each other then you can use internal dns, instead of using internal IP address which might change when a vm instance gets recreated.
GCP provides internal dns that can be used by two VM instances in the same VPC to communicate.
Note that vm instances in two different VPC can not communicate with each other across VPCs using this method (unless a VPN or other mechanism is configured to connect VPCs)
There are two ways to access/configure Internal DNS
Global DNS
Zonal DNS (Default for all organizations or standalone projects that have enabled the Compute Engine API after September 06, 2018.)
An internal fully qualified domain name (FQDN) for an instance has the following formats:
Instances using the default global DNS : [HOST_NAME] .c.[PROJECT_ID].internal
Instances enabled for Zonal DNS : [HOST_NAME].[ZONE].c.[PROJECT_ID].internal
You can address instances over the internal VPC network using this FQDN.
For example, if your instances are enabled for Zonal DNS, you can ping from one instance to another instance over the internal VPC network using the zonal fully qualified domain name:
ping example-instance.us-west1-c.c.example-project.internal -c 1
Yes, as of Oct 2018, Google Cloud DNS now supports Private DNS Zones.
You can create domains and DNS entries (pointing to whatever instances, load balancers, services) that will only be visible internally to the VPC networks you allow, and not available over the internet.
Announcement:
https://cloud.google.com/blog/products/networking/introducing-private-dns-zones-resolve-to-keep-internal-networks-concealed
Documentation:
https://cloud.google.com/dns/docs/quickstart#create_a_managed_private_zone
It appears based on this VPC doc that you would need to set up your own DNS server.
DNS server Each instance's metadata server acts as a DNS server. It
stores the DNS entries for all VPC network IP addresses in the local
VPC network and calls Google's public DNS server for entries outside
the VPC network. You cannot configure this DNS server, but you can set
up your own DNS server if you like and configure your instances to use
that server instead by editing the /etc/resolv.conf file.
EDIT:
As the more recent answers have pointed out, Cloud DNS now supports private zones.
Related
I was trying to find the IP Address of DNS server hosted in private zone in GCP to resolve some traffic routing related issue on the firewall. But i am not able to find it in Cloud DNS GUI console.
Cloud DNS Private zones require that you use the metadata server for name resolution. Compute Engine instances receive internal DNS resolution information as part of their DHCP leases. By default, the instance's metadata server (169.254.169.254) resolves internal DNS names. If you change the name server configuration for your instance, you cannot resolve records in Compute Engine internal DNS (the .internal zone) or in Cloud DNS managed private zones, forwarding zones, and peering zones unless your replacement DNS server forwards these queries to 169.254.169.254.
We can connect to our AWS EC2 only from within the company VPN. I made a request to create DNS names for the servers. This would be made using AWS Route 53.
The operations team says that having a DNS name is a security risk and the explanation is
"Names are easy to guess compared to IP addresses"
"setting up a DNS for a sever in the public zone directly exposes the servers origin IP and opens up a potential to the DDOS attacks as well as subnet vulnerability"
The servers are not exposed outside our VPN. We have separate AWS accounts for different teams and public zone here refers to a different team.
Does the operations team have valid argument.
You should create a Route 53 Private Hosted Zone so the DNS name can't be resolved publicly.
You then need to configure the DNS server in the office to incorporate DNS responses from Route 53 by using a forwarder.
I don't know the full details, but here's some articles that should help:
Resolving DNS Queries Between VPCs and Your Network - Amazon Route 53
Resolve a Private Hosted Zone over VPN with Directory Service
Use an Inbound Endpoint to Resolve Records in a Private Hosted Zone From a Remote Network
I have a GCP VPC and it is connected to on-prem using Public Cloud Interconnect.
Traffic flow between onprem and the VPC is ok. All routes and firewalls are configured correctly.
Now I would like to have the company DNS servers available for VMs in my VPC.
My 3 DNS servers are
10.17.121.30 dns-01.net.company.corp
10.17.122.10 dns-02.net.company.corp
10.17.122.170 dns-03.net.company.corp
Now I have done the below config in Cloud DNS in GCP.
The DNS name is company.corp
The "In use by" is referring my VPC.
The IPs 10.17.121.30, 10.17.122.10 and 10.17.122.170 are on-prem and are accessible from the VPC over port 53.
But after having done all the above, if I try to connect to any on-prem machine using its name, I get
telnet: could not resolve example-server.corp.sap/443: No address associated with hostname
The above request is being made from a VM inside the VPC.
Which leads me to believe that my DNS servers might not be correctly configured. What have I missed here ?
If you are intending to have your VMs able to resolve hostnames within your on-premises network, then you will need to make use of DNS forwarding. You would need to configure your private zone as a forwarding zone. Once this is done you can use your forwarding zone to query on-premises servers.
On creating an EC2 instance on AWS, you can access it via IP address or a domain name provided by Amazon out of the box:
Is there a similar thing available for Google Cloud out of the box? I'm on a network that blocks IP addresses, and wildcard DNS like xip.io, so I was curious to know about it. Also, is there a specific term this is called which I'm missing?
When you create a GCP Compute Engine instance (EC2 equivalent) you can declare that you want it to have a public IP address. This is an IP that you can use over the Internet to access your instance. GCP gives you two types of IP ... static (stable) or ephemeral. A static IP is yours until you explicitly release it. There is no charge for this as long as your compute engine is running. An ephemeral IP is one which is allocated to you dynamically and may change following a restart of your compute engine instance.
GCP does not (currently ... things could always change) create a DNS entry that will resolve to your IP address over the Internet. It does create a DNS entry that can be used inside your GCP VPC network to allow one compute engine to call another within the GCP environment.
If you want to reach your Compute Engine via a DNS name it is your responsibility to create a DNS "A" record in your own DNS server. If you don't have a DNS server that you can use, then you can obtain a domain name for a few dollars and then create an instance of a GCP Cloud DNS Server and add an "A" record for your compute engine to that server.
See also:
Cloud DNS
Internal DNS
Yes, you can forumate internal dns for instance using [INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal
See the following link for further information: https://cloud.google.com/compute/docs/internal-dns
Please ensure the ports are open.
You can visit the documentation as below for your reference, hope this helps.
https://cloud.google.com/vpc/docs/firewalls
i have setup my infra on GCP and created a VPC and firewall rules to allow outgoing 53 from inside my network to the outside.
i also setup a private dns zone in google cloud and added a dns forwarder ip (e.g. 192.168.1.1) to it. i also added the network that my vm is in to the dns zone allowed list .
now when i launch my VM and try to dig to test.mydomain.com it does not work, but when i put the ip mentioned above that i used as the dns forwarder in the /etc/resolve.conf the dig works ..
what am i missing here ?
By default, the resolution of internal DNS names is handled by the Instance metadata server (169.254.169.254)
If you change the name server configuration for your Instance, you might not be able to use internal DNS names. Any replacement of the name server software must support the Local Subnet Routes feature of RFC 3442.