0

Our setup:

We have a master project A, and two other projects, B and C. In project A, we have a shared VPC with networks A, B, and C (related to which project they're meant to serve). The VPC for B is shared from project A to project B, and the VPC for C is shared from project A to project C. The networks are peered with each other.

Within project A, we have a private Cloud DNS zone which forwards to two DNS servers. One of these servers is in project A and network A, and one of them is in project B on network B. We have selected all networks (A, B, and C) to be included in this DNS zone.

Our problem:

Cloud DNS appears not to be sharing properly across these networks. With experimentation, we have found that instances will be able to resolve records that are on a DNS server on the same network, but not on another network. ie:

An instance on network A will be able to resolve a domain from the network A DNS server, but not from a network B DNS server, and vice versa. However, if you explicitly define the DNS server, it works as expected.

For example, let 10.0.0.1 have an A record for foo.com, and 10.0.1.1 have an A record for bar.com. They are hosted on network A and network B respectively:

On an instance from network A:

  • Running nslookup foo.com will resolve.
  • Running nslookup bar.com will return SERVFAIL.
  • Running nslookup bar.com 10.0.1.1 will resolve.

Similarly, using an instance on network B

  • Running nslookup bar.com will resolve
  • Running nslookup foo.com will return SERVFAIL
  • Running nslookup foo.com 10.0.0.1 will resolve

And network C:

  • Running nslookup foo.com will return SERVFAIL
  • Running nslookup bar.com will return SERVFAIL
  • Running nslookup foo.com 10.0.0.1 will resolve
  • Running nslookup bar.com 10.0.1.1 will resolve

I'm unsure why this behaviour is as it is.

What has been tried/confirmed

  • We have ensured all networks can communicate on TCP/UDP port 53, and that both nameservers can be seen from all networks
  • We have tried adding policies (which gave a similar result, only failures returned NXDOMAIN rather than SERVFAIL)
  • We have looked into DNS peering, which is not applicable here

Any help here would be appreciated. I'm aware that private zones in Cloud DNS are still a Beta feature, but this setup should currently be possible according to the documentation.

G Newbury
  • 1

2 Answers2

0

From your description, it looks like the networks A, B and C are peered with each other. The documentation about Peering zones says that, "when two networks are peered, they do not automatically share DNS information". This could explain why the DNSs can only resolve names to instances within the same VPC ehn using Cloud DNS forwarding; and in the other hand, the DNSs have to be asked directly to resolve when they are set in peered VPCs.

I can see there ins't documentation to use Peering Zones with Forwarding DNS at the same time, so you may want to try by adding both domains foo.com and bar.com in both DNS servers.

Alfredo GH
  • 51
  • 1
0

From the same page, it also explains that there is DNS Peering beta available, whereby a Consumer Network can forward DNS requests to a Producer Network.

If I understand it correctly, that would mean having the DNS setup on the producer network A, and let the networks B and C forward their respective queries to A.

But what if B and C have different private zones (which should not be so far from real)? Would that mean having both setup on A so that records for the respective VPCs are uniquely managed from within project A.

I would like to try it as well, moreover because on top of this I have a VPN with on-prem (let's call it D) and the next step would be to setup a conditional forwarder to the on-prem DNS.

Not sure if B and C would be able to resolve D queries through A project.

Lorenz_DR
  • 28
  • 5