0

I'm trying to setup local DNS forwarder for the VPC network to use LDAP controller which is running DNS server. I have few GCP projects which should be able to communicate over already built VPN tunnel to each other using DNS names. I've activated Cloud DNS on GCP, created DNS server policy in order to forward reuqest to the internal DNS servers, assigned this policy to my custom network setup, but GCE VM's are still unable to resolve hosts. But if I will edit /etc/resolv.conf file on the VM and will put nameserver option before the GCP metadata server (169.254.169.254) - everything is working fine. Such sollution isn't preferable as in case of huge amount of VM I'll need to deploy those changes for each VM separately. Also I've tried to deploy forwarding rules for internal domains - result is the same. Accordingly to the GCP DNS "how to" you can use next command in order to check DNS resolver settings for all network:

gcloud compute addresses list \ --filter="purpose=DNS_RESOLVER" \ --format='csv[no-heading](address, subnetwork)' .... 192.168.14.4,cloud-vpn-14 .... This IP was reserved by "dns-forwarder-...." and I'm able to make a request using dig test.1.com but it doesn't forward query to the DNS server which was used by the DNS forwarding policy.

So my question is how to overcome manual override of the /etc/resolv.conf file? Or how to make DNS forwarding working correctly?

Oleksandr Meleshchuk
  • 1
  • 3
  • Changing the VM /etc/resolv.conf will not be a solution as the Linux Guest Environment will reset the content about once a day[1]. You can also check these links for more info on the subject: [1] https://cloud.google.com/compute/docs/internal-dns#resolv [2] https://cloud.google.com/dns/docs/overview#dns-server-policy-out [3] https://cloud.google.com/dns/zones/#using-dns-server-policies – Md Zubayer Jan 24 '19 at 21:16
  • yeah, but in case if you will change DNS servers configuration in the DHCP client conf file in order to use static DNS servers it should solve this issue – Oleksandr Meleshchuk May 02 '19 at 18:51

1 Answers1

0

I set it up, but without specifying the internal ip DNS servers.

I experimented and managed to find out the following: for successful work in --forwarding-targets it is possible to add ip only external DNS servers, but not internal ones. Therefore, in order for this rule to work, you need to make nat redirect 53 udp port from the external ip of your corporate network to the internal ip of your DNS server. And to allow this redirect for the ip 35.199.192.0/19 range, which google is used for proxying DNS queries (documentation https://cloud.google.com/dns/zones/#creating-forwarding-zones), but during my experiment it also became clear that it was necessary to add a range of 172.217.0.0/16 to.

After these conditions are met, everything starts working successfully.

Example:

gcloud beta dns managed-zones create example-forwarding-zone \
    --dns-name="cluster.example.com" \
    --description="A zone" \
    --networks="default,my-network" \
    --visibility=private \
    --forwarding-targets="ext_ip_of_your_corporate_network"

After this resolving host test.cluster.example.com begins work.

Serge Spinoza
  • 1
  • :) hm...yeah I think you've made nice work on this, but as for me it's unsecure to open DNS service outside of your local environment. Anyway I've already set this up. – Oleksandr Meleshchuk Apr 10 '19 at 18:18