In today’s hybrid cloud era, organizations often have a mix of on-premises infrastructure and cloud-based services. Oracle Cloud Infrastructure (OCI) provides a robust platform for deploying cloud-native applications, while on-premises environments continue to host legacy systems and applications. To ensure seamless communication between these two environments, it’s essential to integrate domain name resolution (DNS) in both directions.
Right from the need of DNS Resolution to its architectural overview, let’s unroll the steps to integrate two-way domain name resolution for OCI and on-premises environments.
Why Two-Way DNS Resolution Matters?
Two-way DNS resolution enables hosts in both OCI and on-premises environments to resolve each other’s domain names.
This is crucial for various reasons:
- Simplified communication: Applications and services in both environments can communicate with each other using domain names, rather than IP addresses.
- Improved security: By using domain names, you can implement security policies and access controls based on domain names, rather than IP addresses.
- Enhanced scalability: Two-way DNS resolution enables you to scale your infrastructure in both environments without worrying about IP address management.
Benefits of a Managed DNS Resolver on OCI
- Performance: OCI DNS resolver is designed to provide low-latency DNS resolution, which helps improve the responsiveness of applications hosted on Oracle Cloud Infrastructure.
- Security: It includes built-in protections against DNS-based attacks, such as DNS spoofing and cache poisoning, to help ensure the integrity and security of DNS queries and responses.
- Integration: It seamlessly integrates with other Oracle Cloud Infrastructure services and resources, making it easy to manage DNS settings for applications and infrastructure within the Oracle Cloud ecosystem.
- Customization: Users can configure custom DNS settings, such as defining private zones for internal networks or setting up DNS forwarding rules to route queries to specific DNS servers.
- Global Coverage: OCI DNS resolver operates across multiple regions, ensuring reliable DNS resolution regardless of the geographical location of users or applications.
Resolver Endpoints
- Resolver endpoints are attached to a VCN or a subnet.
- A DNS forwarding resolver endpoint is required before you can create a resolver rule. No listening endpoint is required for compute instances sending queries to 169.254.169.254. Two types of endpoints are used.
- Listening– A listening endpoint receives queries from these sources: within the VCN, other VCN Resolvers, or on your DNS of on-premises network. Once created, no further configuration is needed for a listening endpoint.
- Forwarding– A forwarding endpoint forwards DNS queries to the Listening endpoint for resolvers in other peered VCNs or on your DNS of on-premises network. Decisions about where to forward queries are based on resolver rules that you define.
DNS Service on OCI
When creating a VCN and subnets for the first time, you may specify DNS labels for each. However, only DNS labels for the VCN itself can be set. The labels, along with the parent domain of oraclevcn.com form the VCN domain name and subnet domain name:
- VCN domain name:<VCN DNS label>.oraclevcn.com
- Subnet domain name:<subnet DNS label>.<VCN DNS label>.oraclevcn.com
Prerequisites
Make sure you have the following before you start:
- An account with the required authorization for Oracle Cloud Infrastructure (OCI).
- A configured Virtual Cloud Network (VCN) in OCI.
- VPN or Fast Connect setup between your on-premises network and OCI.
- An on-premises Active Directory (AD) server with DNS services enabled.
Architecture
This reference architecture explains how a secure connection (VPN or Fast Connect) is used to establish network access between OCI and on-premises environments. The smooth operation of DNS resolution in both environments depends on this connectivity.
Setting Up DNS Forwarder & Listener
- Create VCN
- Configure Endpoints (Forwarder & Listener)
- Configure DNS forwarding rules
- Create a Conditional forwarding in the On-Premises AD server
Considerations
Network Connectivity and Routing
- VPN or Fast Connect: Ensure there is a secure and reliable network connection (such as VPN or Oracle Fast Connect) established between OCI and on-premises network.
- Routing Configuration: Verify that routing configurations on both OCI and on-premises networks allow for proper traffic flow between the networks. Routes should be configured to direct traffic destined for each environment to the appropriate network gateway.
- Firewall Rules: Make a rule in both firewalls to permit access if there is one between OCI and On-Prem.
DNS Forwarding
Configure DNS forwarding rules or conditional forwarding:
- OCI to On-Premises: Forward queries for on-premises domains
(e.g., xyz.com) from OCI’s DNS service to your on-premises DNS servers.
- On-Premises to OCI: Configure on-premises DNS servers to forward queries for OCI-managed domains (e.g., oraclevcn.com) to OCI’s DNS resolvers.
Monitoring and Troubleshooting
- Logging and Monitoring: Set up logging and monitoring for DNS queries and responses across OCI and on-premises environments. Monitor DNS resolution performance metrics to identify and troubleshoot any issues promptly.
- Testing and Validation: validate the DNS integration configuration to make sure that domain name resolution functions as intended in both on-premises and OCI environments. Recovery and failover protocols must be included in test scenarios.
Conclusion:
Integrating two-way domain name resolution for Oracle Cloud Infrastructure (OCI) and on-premises environments is a critical step in enabling seamless communication and collaboration between these environments, requiring careful planning, implementation, and ongoing management to ensure a successful integration that meets business needs and supports digital transformation initiatives.
Organizations can ensure correct DNS resolution, improve application performance and user experience, enhance security, and reduce administrative burdens, ultimately supporting business growth and digital transformation initiatives.
For all queries, please write to:
