Private DNS

This topic describes how to create and manage private DNS zones. Private DNS allows you to use your own private DNS domain names and fully manage the associated zones and records to provide hostname resolution for your applications running within and between VCNs, as well as your on-premises or other private network. Private DNS also provides DNS resolution across networks (for example, another VCN within the same region, cross region, or external network). Private DNS can be managed in the OCI DNS API and Console.

Overview of Private DNS

  • Private DNS Zones: Private DNS zones contain DNS data only accessible from within a VCN, such as private IP addresses. A private DNS zone has similar capabilities to an internet DNS zone, but provides responses only for clients that can reach it through a VCN. Private DNS allows you to duplicate zones across multiple VCNs. A full or partial domain tree can be created. It also supports split-horizon DNS which allows you to use the same domain name for public and private zones. Different answers can be served for public queries versus private queries from within your VCN.

  • Private DNS Views: A private DNS view is a collection of private zones. You can reference private views from a resolver to manage how DNS queries are answered. A zone can only belong to a single view. The same zone name can be used in multiple views, but the zones will have unique OCIDs to differentiate. You can use those views to create DNS resolvers configured to handle DNS queries from your VCNs. Any given view can be used by an arbitrary number of resolvers, allowing you to share private DNS data across VCNs.
  • Private DNS Resolver: A private DNS resolver provides responses to DNS queries. It provides responses by checking each customer-referenced view in order, then the default view, then each rule in order, and finally by using internet DNS. The first item in that sequence able to provide an answer does so, and later items are not checked. Rules allow you to define the logic for how queries should be answered. The resolver listens on 169.254.169.254 by default, but also allows you to define endpoints for listening for queries and forwarding them to other resolvers in other VCNs, a customer's on-premises network, or other private network. Multiple views can be resolved within a VCN. You can specify an ordered list of views within a resolver. For more information, see Private DNS resolvers.

Required IAM Policies

To work with private DNS, a user needs sufficient authority (by way of an IAM policy). If your user is in the Administrators group, you have the required authority. If your user is not in the Administrators group, then a policy like this will allow a specific group to manage private DNS:

Allow group <GroupName> to manage dns in tenancy where target.dns.scope = 'private'

If you're new to policies, see Getting Started with Policies and Common Policies. For more details about policies for private DNS, see Details for the DNS Service.

Using the Console

To create a private zone with a private view
Note

Private zones can only be viewed in the region in which they are created.
  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click Zones.
  2. Click the Private Zones tab.
  3. Click Create Zone.
  4. In the Create Private Zone dialog box, enter the following information:
    • Zone Name: Enter the name of the zone you want to create. Avoid entering confidential information. A domain name identifies a particular space within a zone for the purposes of naming systems and/or associating DNS records.
    • Create in Compartment: Select the compartment where you want to create the zone.
    • Zone Type: This field is read-only. The zone contents will be controlled directly within Oracle Cloud Infrastructure.
    • DNS Private View: A private zone must be created within a private view, which cannot be changed. When a private zone is attached to a private view, the private zone cannot be moved to a new private view.
      • Select Existing Private DNS View: To select an existing private view in the current compartment, select a private view from the drop-down menu. You can click Change Compartment to change the compartment where the private view exists.
      • Create New Private DNS View: Enter a name for the private view. Avoid entering confidential information. This resource is created in the compartment selected previously.
    • Tags: Optionally, you can apply tags. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, then skip this option (you can apply tags later) or ask your administrator.
  5. Click Create.

    The system creates and publishes the zone, complete with the necessary SOA and NS records. The details for the zone appear. You can view the private view associated with this zone by clicking the Private View name in the Zone Information section. For information on adding a record to your zone, see To add a zone record.

To create a private view
Note

Private views can only be viewed in the region in which they are created.
  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click Private Views.
  2. Click Create Private View.
  3. In the Create Private View dialog box, enter the following:
    • Name: Enter the name of the private view you want to create. Avoid entering confidential information.
    • Create in Compartment: Select the compartment where you want to create the private view.
    • Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, then skip this option (you can apply tags later) or ask your administrator.
  4. Click Create.
To create a private view with a new private zone
  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click Private Views.
  2. Click Create Private View.
  3. In the Create Private Zone dialog box, enter the following information:
    • Name: Enter the name of the private view you want to create. Avoid entering confidential information.
    • Create in Compartment: Select the compartment where you want to create the private view.
    • Tags: Optionally, you can apply tags. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, then skip this option (you can apply tags later) or ask your administrator.
  4. Click Create.

    The details for the private view appear.

  5. Click Create Zone.
  6. In the Create Private Zone dialog box, enter the following:
    • Zone Name: Enter the name of the zone you want to create. Avoid entering confidential information. A domain name identifies a particular space within a zone for the purposes of naming systems and/or associating DNS records.
    • Create in Compartment: Select the compartment where you want to create the zone.
    • Zone Type: This field is read-only. The zone contents will be controlled directly within Oracle Cloud Infrastructure.
    • Tags: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
  7. Click Create.

    The new zone appears in the zone list associated with the private view you created.

To add a zone record
Tip

There are many record types you can add to your zone, depending on your goals for the zone and its DNS management.
  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click Zones.
  2. Click the Zone Name in which you want to add a record. If you are adding a record to a private zone, click the Private Zones tab and then click the zone name. Zone details and a list of records appear.

    Tip

    To locate zones in the Private Zones tab, you can use filters to sort by zones that are protected (system generated) or by associated private view names.
  3. Click Add Record.
  4. In the Add Record dialog box, select a record type from the drop-down list, and then enter the information for the record. Avoid entering confidential information. For more information about record types, see Supported Resource Records.
  5. (Optional) Click the Add Another Record check box to add multiple records in succession.
  6. Click Submit.
    Note

    When records are added, they are staged to allow for multiple records to be combined into a set. Before records take effect, they must be published.
  7. Once your records have been added, click Publish Changes.
  8. In the confirmation dialog box, click Publish Changes.
To update a zone record
Note

Protected Records

You can change various components of the records within your zones, such as time-to-live (TTL) and relevant RDATA. However, some records contain information that cannot be changed. You can attempt changes to such records through the Actions menu, but the system might not permit updates to some fields.

  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click Zones.
  2. Click the Zone Name in which you want to update a record. If you are updating a record in a private zone, click the Private Zones tab and then click the zone name. Zone details and a list of records appear.

    Tip

    To locate zones in the Private Zones tab, you can use filters to sort by zones that are protected (system generated) or by associated private view names.
  3. To help find a record, you can use the following filter options:

    • Enter the name of the record's domain in the Search field.
    • To find unpublished records, select the Staged check box.
    • To find published records, select the Unstaged check box.
    • Use the Is Protected sort filter to sort by records that are protected.
    • Use the Record Type sort filter to sort records.
  4. Select the check box for the record you want to update, and select Edit from the Actions drop-down menu.
  5. In the Edit Record dialog box, make the needed changes, and then click Submit.
    Note

    When records are added, they are staged to allow for multiple records to be combined into a set. Before records take effect, they must be published.
  6. Click Publish Changes.
  7. In the confirmation dialog box, click Publish Changes.

Reverting Changes Before Publishing

You can revert records to their current published state before you publish changes. Once a record has been published, it cannot be reverted. Select the check box for the record you want to revert, and then select Revert from the Actions drop-down menu.

To delete a zone record
  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click Zones.
  2. Click the Zone Name in which you want to delete a record. If you are deleting a record in a private zone, click the Private Zones tab and then click the zone name. Zone details and a list of records appear.

    Tip

    To locate zones in the Private Zones tab, you can use filters to sort by zones that are protected (system generated) or by associated private view names.
  3. Select the check box for the record you want to delete, and then select Delete from the Actions drop-down menu.
  4. Click Publish Changes.
  5. In the confirmation dialog box, click Publish Changes.
To edit a private view
  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click Private Views.
  2. Click the name of the private view you want to update.
    Tip

    You can use the Protected filter to sort private views by views that are protected (system generated).
  3. Click Edit.
  4. In the Edit Private DNS View dialog box, make the needed changes and then click Save Changes.
To edit a private zone
Note

Private zones are only viewable in the region they are created.
  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click Zones.
  2. Click the Private Zones tab.
  3. Click the name of the zone you want to update.
    Tip

    You can use filters to sort private zones by zones that are protected (system generated) or by associated private view names.
  4. Click Edit.
  5. In the Edit Zone dialog box, make the needed changes and then click Save Changes.
To delete a private zone
  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click Zones.
  2. Click the Private Zones tab.
  3. Click the Actions icon (three dots) for the zone you want to delete, and then click Delete.
  4. In the Delete Private Zone dialog box, click Delete.
    Caution

    Deletion removes associated resources.
To delete a private view
  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click Private Views.
  2. Click the name of the private view that you want to delete.
  3. Click Delete.
  4. In the Delete DNS Private View dialog box, click Delete.
    Caution

    Deletion removes any associated private zones.
To delete a private zone from a private view
  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click Private Views.
  2. Click the private view that contains the zone you want to delete.
  3. Click the the Actions icon (three dots) for the zone you want to delete, and then click Delete.
  4. In the Delete Private Zone dialog box, click Delete.
To move a private zone to another compartment
  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click Zones.
  2. Click the Private Zones tab.
  3. Click the name of the zone you want to move.
  4. Find the zone in the list, click the the Actions icon (three dots), and then click Move Resource.
  5. Choose the destination compartment from the list.
  6. Click Move Resource.
To move a private view to another compartment
  1. Open the navigation menu. Under Core Infrastructure, go to Networking, DNS Management, and click Private Views.
  2. Click the name of the view you want to move.
  3. Click Move Resource.
  4. Choose the destination compartment from the list.
  5. Click Move Resource.

Using the API