A CloudStack account can be associated with a network domain.
Instances created within this account will have its DNS suffix automatically set to the configured network domain. CloudStack admins can create new domains from the ‘Domains > Add New Domain’ tab. DNS domains which are associated with isolated networks are not queriable from the Internet directly. This is because, the virtual router that provides the DNS services is not known to the end users.
Instead, we can expose the DNS services provided by the virtual router to the Internet for a specific domain by creating a dedicated VM instance which acts as a forwarding DNS server.
In this example, we create a new CloudStack domain called “demo.local” and allow external DNS lookups.
- As the CloudStack admin, create a new domain “Demo” with the network domain set to “demo.local”. If you are a CloudStack end user, you might want to get in touch with your admins to create you a new domain
- Create an account with which you can login to the domain “Demo” and create new instances
- Login to the domain “Demo” and create a new instance as “ns1” in the isolated network called “demo-lan”. “ns1” would be our Internet facing external DNS server.
- Once “ns1” is running, acquire a Static NAT IP and associate it with “ns1”
- Allow Egress and Ingress rules for the newly acquired SNAT IP. Specifically, allow TCP/UDP port 53 for domain services.
- Install and configure DNS service like BIND or DnsMasq to forward queries to the internal DNS server for “demo.local”. The internal DNS server would be the entries in /etc/resolv.conf on instance “ns1”. Also be sure to modify firewall entries on ns1 itself to allow DNS queries
- “ns1” would now be ready to handle DNS request from the Internet for the domain “demo.local”
- Finally, create a new instance named “demo1” for testing DNS lookups
In my setup, “ns1.demo.local” has the SNAT IP 192.168.64.107. Lookups are made to 192.168.64.107 from an outside network.
Lets lookup “ns1.demo.local” first.
buffy:~ shanu$ host ns1.demo.local 192.168.64.107 Using domain server: Name: 192.168.64.107 Address: 192.168.64.107#53 Aliases: ns1.demo.local has address 10.1.1.8
Next, lets lookup “demo1.demo.local”
buffy:~ shanu$ host demo1.demo.local 192.168.64.107 Using domain server: Name: 192.168.64.107 Address: 192.168.64.107#53 Aliases: demo1.demo.local has address 10.1.1.240
This completes our forwarding DNS setup. From here, you can add the SNAT IP as a NS record into your primary DNS servers. Of course, in the real world, you would use valid subdomain instead of “demo.local”.
I have forwards configured on my LAN’s OpenWRT settings to forward queries for demo.local to the SNAT IP of ns1.demo.local so that I can lookup FQDNs without any hints.
buffy:~ shanu$ host ns1.demo.local ns1.demo.local has address 10.1.1.8 buffy:~ shanu$ host demo1.demo.local demo1.demo.local has address 10.1.1.240
The DNS forward setup would be most useful for shared networks having public IPs.