GCE DNS forwarding – Valuable Tech Notes

I'm trying to setup local DNS forwarder for the VPC network to use LDAP controller which is running DNS server.
I have few GCP projects which should be able to communicate over already built VPN tunnel to each other using DNS names.
I've activated Cloud DNS on GCP, created DNS server policy in order to forward reuqest to the internal DNS servers, assigned this policy to my custom network setup, but GCE VM's are still unable to resolve hosts. But if I will edit /etc/resolv.conf file on the VM and will put nameserver option before the GCP metadata server (169.254.169.254) – everything is working fine. Such sollution isn't preferable as in case of huge amount of VM I'll need to deploy those changes for each VM separately.
Also I've tried to deploy forwarding rules for internal domains – result is the same.
Accordingly to the GCP DNS "how to" you can use next command in order to check DNS resolver settings for all network:

gcloud compute addresses list \
–filter="purpose=DNS_RESOLVER" \
–format='csv[no-heading](address, subnetwork)'
….
192.168.14.4,cloud-vpn-14
….
This IP was reserved by "dns-forwarder-…." and I'm able to make a request using dig test.1.com but it doesn't forward query to the DNS server which was used by the DNS forwarding policy.

So my question is how to overcome manual override of the /etc/resolv.conf file? Or how to make DNS forwarding working correctly?

gcloud beta dns managed-zones create example-forwarding-zone \ --dns-name="cluster.example.com" \ --description="A zone" \ --networks="default,my-network" \ --visibility=private \ --forwarding-targets="ext_ip_of_your_corporate_network"

Best Answer

I set it up, but without specifying the internal ip DNS servers.

I experimented and managed to find out the following: for successful work in --forwarding-targets it is possible to add ip only external DNS servers, but not internal ones. Therefore, in order for this rule to work, you need to make nat redirect 53 udp port from the external ip of your corporate network to the internal ip of your DNS server. And to allow this redirect for the ip 35.199.192.0/19 range, which google is used for proxying DNS queries (documentation https://cloud.google.com/dns/zones/#creating-forwarding-zones), but during my experiment it also became clear that it was necessary to add a range of 172.217.0.0/16 to.

After these conditions are met, everything starts working successfully.

Example:

After this resolving host test.cluster.example.com begins work.

Best Answer

Related Solutions

How to properly configure BIND forward zone for an internal DNS server

Linux – Resolv Conf Multiple DNS Servers with specific domains

Related Topic