Forward DNS Queries To CloudStack Internal Isolated Network

A CloudStack account can be associated with a network domain.

Instances created within this account will have its DNS suffix automatically set to the configured network domain. CloudStack admins can create new domains from the ‘Domains > Add New Domain’ tab. DNS domains which are associated with isolated networks are not queriable from the Internet directly. This is because, the virtual router that provides the DNS services is not known to the end users.

cs-domain-add-tab

Instead, we can expose the DNS services provided by the virtual router to the Internet for a specific domain by creating a dedicated VM instance which acts as a forwarding DNS server.

In this example, we create a new CloudStack domain called “demo.local” and allow external DNS lookups.

  1. As the CloudStack admin, create a new domain “Demo” with the network domain set to “demo.local”. If you are a CloudStack end user, you might want to get in touch with your admins to create you a new domain

    cs-domain-demo-local

    cs-domain-demo-local-status

  2. Create an account with which you can login to the domain “Demo” and create new instances

    cs-domain-add-account

  3. Login to the domain “Demo” and create a new instance as “ns1” in the isolated network called “demo-lan”. “ns1” would be our Internet facing external DNS server.

    cs-login-demo

    cs-add-network-demo-lan

    cs-create-new-instancs-ns1

  4. Once “ns1” is running, acquire a Static NAT IP and associate it with “ns1”

    cs-acquire-snap-ip

    cs-static-nat-associate-ns1

  5. Allow Egress and Ingress rules for the newly acquired SNAT IP. Specifically, allow TCP/UDP port 53 for domain services.

    cs-snat-ingress

  6. Install and configure DNS service like BIND or DnsMasq to forward queries to the internal DNS server for “demo.local”. The internal DNS server would be the entries in /etc/resolv.conf on instance “ns1”. Also be sure to modify firewall entries on ns1 itself to allow DNS queries
  7. “ns1” would now be ready to handle DNS request from the Internet for the domain “demo.local”
  8. Finally, create a new instance named “demo1” for testing DNS lookups

    cs-new-instance-demo1

Testing

In my setup, “ns1.demo.local” has the SNAT IP 192.168.64.107. Lookups are made to 192.168.64.107 from an outside network.

Lets lookup “ns1.demo.local” first.

buffy:~ shanu$ host ns1.demo.local 192.168.64.107
Using domain server:
Name: 192.168.64.107
Address: 192.168.64.107#53
Aliases:

ns1.demo.local has address 10.1.1.8

Next, lets lookup “demo1.demo.local”

buffy:~ shanu$ host demo1.demo.local 192.168.64.107
Using domain server:
Name: 192.168.64.107
Address: 192.168.64.107#53
Aliases:

demo1.demo.local has address 10.1.1.240

This completes our forwarding DNS setup. From here, you can add the SNAT IP as a NS record into your primary DNS servers. Of course, in the real world, you would use valid subdomain instead of “demo.local”.

I have forwards configured on my LAN’s OpenWRT settings to forward queries for demo.local to the SNAT IP of ns1.demo.local so that I can lookup FQDNs without any hints.

openwrt-dns-forward

buffy:~ shanu$ host ns1.demo.local
ns1.demo.local has address 10.1.1.8
buffy:~ shanu$ host demo1.demo.local
demo1.demo.local has address 10.1.1.240

The DNS forward setup would be most useful for shared networks having public IPs.

Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.

More Posts - Website

Follow Me:
TwitterLinkedIn

Published by

Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.

Leave a Reply