Forward DNS Queries To CloudStack Internal Isolated Network

A CloudStack account can be associated with a network domain.

Instances created within this account will have its DNS suffix automatically set to the configured network domain. CloudStack admins can create new domains from the ‘Domains > Add New Domain’ tab. DNS domains which are associated with isolated networks are not queriable from the Internet directly. This is because, the virtual router that provides the DNS services is not known to the end users.


Instead, we can expose the DNS services provided by the virtual router to the Internet for a specific domain by creating a dedicated VM instance which acts as a forwarding DNS server.

In this example, we create a new CloudStack domain called “demo.local” and allow external DNS lookups.

  1. As the CloudStack admin, create a new domain “Demo” with the network domain set to “demo.local”. If you are a CloudStack end user, you might want to get in touch with your admins to create you a new domain



  2. Create an account with which you can login to the domain “Demo” and create new instances


  3. Login to the domain “Demo” and create a new instance as “ns1” in the isolated network called “demo-lan”. “ns1” would be our Internet facing external DNS server.




  4. Once “ns1” is running, acquire a Static NAT IP and associate it with “ns1”



  5. Allow Egress and Ingress rules for the newly acquired SNAT IP. Specifically, allow TCP/UDP port 53 for domain services.


  6. Install and configure DNS service like BIND or DnsMasq to forward queries to the internal DNS server for “demo.local”. The internal DNS server would be the entries in /etc/resolv.conf on instance “ns1”. Also be sure to modify firewall entries on ns1 itself to allow DNS queries
  7. “ns1” would now be ready to handle DNS request from the Internet for the domain “demo.local”
  8. Finally, create a new instance named “demo1” for testing DNS lookups



In my setup, “ns1.demo.local” has the SNAT IP Lookups are made to from an outside network.

Lets lookup “ns1.demo.local” first.

buffy:~ shanu$ host ns1.demo.local
Using domain server:

ns1.demo.local has address

Next, lets lookup “demo1.demo.local”

buffy:~ shanu$ host demo1.demo.local
Using domain server:

demo1.demo.local has address

This completes our forwarding DNS setup. From here, you can add the SNAT IP as a NS record into your primary DNS servers. Of course, in the real world, you would use valid subdomain instead of “demo.local”.

I have forwards configured on my LAN’s OpenWRT settings to forward queries for demo.local to the SNAT IP of ns1.demo.local so that I can lookup FQDNs without any hints.


buffy:~ shanu$ host ns1.demo.local
ns1.demo.local has address
buffy:~ shanu$ host demo1.demo.local
demo1.demo.local has address

The DNS forward setup would be most useful for shared networks having public IPs.

Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.

More Posts - Website

Follow Me:

Leave a Reply