Setting up internal / private networking DNS?

September 1, 2017 8.1k views
DNS Ubuntu 16.04

Is it possible to setup DNS for private / internal only network interfaces? For example suppose I have a private network interface 10.128.2.18 and I name it pnv1. I could add this to /etc/hosts, but if the network address changes, I have to update /etc/hosts for every single client that needs to access pnv1. So I'm wondering if digital ocean supports private networking DNS? I'm hoping I could essentially point /etc/hosts/ to this service and the service would then return the network address the client is trying to look up.

5 Answers

Yes. DigitalOcean's DNS service can be used with private networking. The one caveat would be that the Droplets can not be completely isolated with its public interface disabled. They will still require outbound access to port 53 for DNS lookups. In general, public DNS does not care if the IP address it points to is accessible or not. So pointing internal.example.com to an private IP address with an A record will work, but it will not be accessible if you are not on that private network.

If you require complete isolation from the public network, check out this tutorial for information setting up a private DNS server:

by Justin Ellingwood
An important part of managing server configuration and infrastructure includes maintaining an easy way to look up network interfaces and IP addresses by name, by setting up a proper Domain Name System (DNS). Using fully qualified domain names (FQDNs), instead of IP addresses,...

So, I added a custom domain (notexistend.org), which is not actually registered, since I'll only use it internally. Then added the DO nameservers to resolv.conf...but nothing. ping can't find notexistend.org.

Any thoughts?

Ping is unable to find the A record added to DigitalOcean DNS!

I achieved that by following https://gist.github.com/so0k/cdd24d0a4ad92014a1bc, but it only works if the DNS is a real one (not some internal fake DNS).

If the DNS doesn't exist, I achieved that (accessing other droplets through the internal DNS) letting only DO internal nameservers IPs (198.41.222.173, etc..) in resolv.conf (removed 8.8.8.8 and 8.8.4.4 from it).

The problem is that it won't work when I try to lookup external sites.

In the end, I still don't know how can I use Digital Ocean DNS internally with a fake internal DNS, in such a way that it resolves correctly when I ping a host in my internal domain, but uses 8.8.8.8 or 8.8.4.4 for external ones.

It will be great if DO provided some tutorial about how to do that.

  • No they won't, they will just redirect you to the BIND tutorial. That's it. One thing I am trying to clear here is that you mentioned fake internal DNS. Is that same as the BIND dns server in that tutorial that you setup yourself?

    • @mefav With fake internal DNS I mean a DNS created at Digital Ocean that doesn't work externally (that doesn't have a real domain name, like creating the DNS example.com in the DO panel, and I could access the servers registered in this DNS if I let only DO internal nameservers IPs (198.41.222.173, etc..) in resolv.conf, but it has the problem I described above).

      Using BIND DNS Server should solve it too, but you should need to maintain that yourself, and adding / removing IPs will end up probably being a manual task, unless you create some kind of API in your DNS server.

      The most simple way I found is using a real DNS, point to DO nameservers IPs, add a domain in the DO panel. Then I just add the A records with the droplets IPs inside the domain, and I can access the droplets through DNS.

      For development, I create a free domain name at freenom (subdomain of the domain .tk), but for production servers it's advisable to buy a more trusted domain name.

Step one. Use a real domain you own. In addition to the free domains someone already mentioned, sub domains also work.

Step two. Understand DNS views.

Ultimately this means managing your own DNS servers and understanding more in depth how DNS is propagated/federated across the internet at large. BIND9 can be as easy or complex as you want it to be. There are other solutions as well but BIND9 remains the standard others reference.

Have another answer? Share your knowledge.