Join Log in
Score:0
James avatar Server

How do you resolve to both public and private zones in a Split-Horizon DNS (using GCP Cloud DNS)?

tr flag
James

We're using GCP and Cloud DNS to manage our domain and I'm trying to solve for these use cases:

  1. Have private records for things like Databases that can only be resolved within the company network (our VPC).
  2. Override public records with private IPs for alternative routing within the company network.
  3. Be able to issue DNS01 challenges and resolve the records within our network and publically. We need this due to how cert-manager works (which we use to issue certificates with letsencrypt).

I've tried solving this with a public and private zone (AKA, split-horizon DNS), however, this solution only solves use cases 1 and 2. And it only solves use case 2 if we ensure the private zone has a copy of all records in the public zone (if there isn't a private counterpart).

Use case 3 isn't met with this solution as our cert-manager server creates the records in the public zone and then cannot resolve them in the public zone. Due to the specifics of our setup, customing cert-manager to resolve both zones via some local configuration isn't ideal. It also would be difficult to have the records created on both zones, so again not the ideal solution.

What I'd like is for the private zone to forward requests to the public one if it doesn't have a record for a specific request. Is there a way of doing this, specifically using GCP Cloud DNS?

The ideal nslookup -> private zone -> public zone

Currently we have nslookup -> private zone -> error (NXDOMAIN) if no record

For example,

# While on my laptop
> nslookup ws1.example.com
...
Name:   ws1.example.com
Address: 34.111.111.111           # Public IP for web server

# While on the GCP network
> nslookup db.example.com
...
Name:   db.example.com
Address: 10.10.0.2                # Private IP for a database
> nslookup ws1.example.com
...
Name:   ws1.example.com
Address: 10.0.0.10                # Private IP (from private zone) for web server

This works fine for use cases 1 and 2 but when we try to resolve a record that only exists on the public zone...

# While on my laptop
> nslookup ws1.example.com
...
Name:   ws1.example.com
Address: 34.111.111.111           # Public IP for web server
> nslookup ws2.example.com        # We only have this record in the public zone
...
Name:   ws2.example.com
Address: 34.111.111.112           # Public IP for another web server

# While in the GCP VPC
> nslookup ws1.example.com
...
Name:   ws1.example.com
Address: 10.0.0.1                 # Private IP (override) for web server
> nslookup ws2.example.com        # We only have this record in the public zone
...
** server can't find ws2.example.com: NXDOMAIN    # Fails to resolve. Should look at private then public zone and resolve to 34.111.111.112.

Any suggestions?

As a workaround, for now, we've switched to using HTTP01 challenges for cert-manager but we'd prefer to use DNS01 if possible.

47
0 + 0
Score:2
John Hanley avatar Server
cn flag
John Hanley

If example.com is both a private and public zone, then you must have resource records for ws2 in both the public and private zones. There is no failover from private to public. Each zone must be authoritative.

The key to understanding your problem: the query is performed at example.com. If the zone returns NXDOMAIN, that is the end of the lookup. DNS does not then move to another server to query for a different answer.

0 + 0
James avatar
tr flag
James
I know there's a way to configure a server to use DNSes via local configuration, is there no funky trick with some proxy DNS that can perform this? Or using response policy zones (RPZ) or some other new DNS feature to achieve this?
0
Reply
John Hanley avatar
cn flag
John Hanley
@James - 1/2) Regarding Google Cloud DNS Response Policies, I am not sure for split DNS. You would need to create a passthrough rule. However, I am not aware of an option to attach a Response Policy on a **private** zone so that a query for **ws2.example.com** would bypass the private zone and be sent to the public zone instead. In that case, you would not use spit horizon DNS. You would create a Response Policy for each zone you want a different response.
1
Reply
John Hanley avatar
cn flag
John Hanley
@James - 2/2) For your use case, which is easier to manage? Creating response policies for each zone you want modified results or creating resource records in the private zone? I do not think that response policies will offer the magic you are looking for. You will have to configure something either in the zone or via a policy.
1
Reply
James avatar
tr flag
James
Okay, thanks John. I'll re-evaluate our use cases. We might just have to accept this limitation and switch to HTTP01 for cert-manager.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.