Setting up Private DNS in google cloud

Question

2 years back Google introudced private DNS which is very important for internal domains communication.

I setup a private dns to learn about DNS using below documentation guide https://cloud.google.com/sdk/gcloud/reference/dns/managed-zones/create https://www.jhanley.com/google-cloud-private-dns-zones/

Below are the steps followed to create an example zone

Created a private zone "private-zone"

gcloud dns managed-zones create --dns-name="example.com" --description="Private Zone" --visibility=private --networks=default "private-zone"

Then created a vm in google cloud and ran the nslookup for the domain name. But it did not resolve

testdns:~$ nslookup example.com
Server:         169.254.169.254
Address:        169.254.169.254#53
Non-authoritative answer:
*** Can't find example.com: No answer

I'm using Debian OS on the Vm instance created

Linux testdns 4.19.0-12-cloud-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux

These are two A records other than NS and SOA records in

test.example.com.   A   300  192.0.0.9
www.example.com.    A   300  192.0.0.91
example.com.        A   3600 192.0.1.1

Below example was tested

nslookup when "example.com" A record was not added

mymach@testdns:~$ nslookup example.com ns-gcp-private.googledomains.com
Server:         ns-gcp-private.googledomains.com
Address:        169.254.169.254#53
Non-authoritative answer:
*** Can't find example.com: No answer

#dig example.com using nameserver , 'A' record was added

testdns:~$ dig example.com @ns-gcp-private.googledomains.com
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> example.com @ns-gcp-private.googledomains.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41534
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com.                   IN      A
;; ANSWER SECTION:
example.com.            3600    IN      A       192.0.1.1
;; Query time: 12 msec
;; SERVER: 169.254.169.254#53(169.254.169.254)
;; WHEN: Tue Dec 08 23:03:58 UTC 2020
;; MSG SIZE  rcvd: 56

nslookup again after adding example.com

testdns:~$ nslookup example.com ns-gcp-private.googledomains.com
Server:         ns-gcp-private.googledomains.com
Address:        169.254.169.254#53
Non-authoritative answer:
Name:   example.com
Address: 192.0.1.1

dig

testdns:~$ dig example.com 
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24673
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com.                   IN      A
;; ANSWER SECTION:
example.com.            3600    IN      A       192.0.1.1
;; Query time: 11 msec
;; SERVER: 169.254.169.254#53(169.254.169.254)
;; WHEN: Tue Dec 08 23:06:30 UTC 2020
;; MSG SIZE  rcvd: 56

dig using local host

dig example.com @127.0.0.1
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> example.com @127.0.0.1
;; global options: +cmd
;; connection timed out; no servers could be reached

Am I missing some step ?

Did you modify `/etc/resolv.conf` or make any other DNS or DHCP changes to the instance that you are running this command on? What do you expect `example.com` to resolve to? Unless you have created DNS Resource Records, example.com does not have anything to return. — John Hanley, Dec 08 '20 at 21:32
@JohnHanley; Thanks for responding, I did not modify resolv.conf file I do expect this to give me an IP I got as part of private domain setup in A record — Learner, Dec 08 '20 at 21:57
Edit your question with details on the A records. Also are you actually using example.com or is this just a placeholder? Which OS and version? Post the output of this command `nslookup example.com 127.0.0.1` — John Hanley, Dec 08 '20 at 22:00
Go to the Google Cloud Console -> Network services -> Zone details. Lookup the value for the NS resource record. Replace NS_VALUE with that value in this command: `nslookup example.com NS_VALUE`. Post that output in your question. — John Hanley, Dec 08 '20 at 22:08
Post the output from this command `dig example.com` and `dig example.com 127.0.0.1` and `dig example.com NS_VALUE` — John Hanley, Dec 08 '20 at 22:11
Note: Edit your question with my request. Do not post them as comments. — John Hanley, Dec 08 '20 at 22:13
@JohnHanley: I think , I had added "www" in front of example.com is being treated as subdomain rather than just as a normal output — Learner, Dec 08 '20 at 22:43
If your domain does not resolve when you specify the domain's name server, then your private zone is not configured correctly. You leave out details and expect us to guess? — John Hanley, Dec 08 '20 at 22:51
@JohnHanley, sorry if it felt like that, probably I could not guess what all details would be required . I think now I have updated all the steps and information I used in setting up this. — Learner, Dec 08 '20 at 22:58
I have asked you for details in several comments. Where are those details? — John Hanley, Dec 08 '20 at 22:59
If I understand your new edits, you did not have a resource record for the naked domain (example.com). Once you added one, name resolution works. Reread my first comment. — John Hanley, Dec 08 '20 at 23:26
Yeah, I see that . Thank you I was under the impression that www.example.com should resolve same as example.com as we type in browsers. But just wondering if everyone adds an additional "A" record for their site to resolve both "www" and without it or I missed something in setting up — Learner, Dec 08 '20 at 23:30
That is now how things work with DNS or with web browsers. When you type `example.com` in a web browser and the browser then displays `www.example.com` that is because of an HTTP redirect by the web server, load balancer, etc. If you resolve `example.com` it will only resolve `example.com`. I am ignoring wildcards. — John Hanley, Dec 08 '20 at 23:48
got it, thanks very much you seems to be an expert in DNS and google cloud (Y) — Learner, Dec 08 '20 at 23:50

score 2 · Accepted Answer · answered Dec 08 '20 at 22:22

2

After you created your zone with:

gcloud dns managed-zones create --dns-name="example.com" --description="Private Zone" --visibility=private --networks=default "private-zone"

You must create DNS registries to it, for example:

gcloud dns record-sets transaction start --zone="private-zone"
gcloud dns record-sets transaction add 10.2.3.4 --name="example.com" --ttl="3600" --type="A" --zone="private-zone"
gcloud dns record-sets transaction execute --zone="private-zone"

Give GCP 1 minute to catch up, and then try again with the default "/etc/resolv.conf" file.

answered Dec 08 '20 at 22:22

Frank

525
2
8

Thanks @Frank, yeah .. I had added the A record in the UI But just wondering how it would get resolve for various queries like "www.example.com" or "http://www.example.com" or any other such query which is not exactly "example.com" – Learner Dec 08 '20 at 22:45
You would need to add those records manually, based on my experience with "www" subdomains, those are added as a "CNAME" instead of an "A" type pointing to the root record "example.com", that way when a change happens to "example.com", the "www.example.com" record would follow automatically, you can also manually maintain both "www" and root domains separately. – Frank Dec 09 '20 at 00:13

Setting up Private DNS in google cloud

nslookup again after adding example.com

dig

dig using local host

1 Answers1

Linked