Setting internally visible DNS entries on Google cloud

Question

I would like set DNS records visible from instances inside the Google cloud.

For example if I query DNS from my PC I'll get one IP; however if I query DNS from the instance I'll get another IP. (A record to be exact)

Ideally I'd like doing this in most sane/convenient way possible; since I can install caching DNS server on every instance and setup authorative results; and forward caching for the rest (I guess bind9 can do that, never tried it before). But this is configuration sync mess; and it's not elegant. I kinda assume there might exist a better way.

Answer 1

One solution is to use totally different zones for different sets of machines and use the DNS search path to select.

So for example you could set up

server1.internal.yourdomain.com   IN   A    1.2.3.4
server1.external.yourdomain.com   IN   A    5.6.7.8

Then set up your machines with resolv.conf containing either

search internal.yourdomain.com

or

search external.yourdomain.com

And then when you lookup server1 on such a machine it will return the address from the appropriate zone. This scheme means you don't need to rely complex routing or IP detection. You will be immune to incidents where internal or external IPs get leaked into each others result.

Of course this does mean that you aren't keeping any IP addresses secret, so make sure you have other security layers in place (you probably shouldn't rely on secret IPs for security anyway)

Answer 2

Google Cloud DNS Private DNS was just announced to beta and does exactly what you need

Answer 3

Assuming you want your VM instances to be able to query other instances by name, and retrieve the desired instance’s private IP, this is already baked into GCP.

Google Cloud Platform (GCP) Virtual Private Cloud (VPC) networks have an internal DNS service that allows you to use instance names instead of instance IP addresses to refer to Compute Engine virtual machine (VM) instances.

Each instance has a metadata server that also acts as a DNS resolver for that instance. DNS lookups are performed for instance names. The metadata server itself stores all DNS information for the local network and queries Google's public DNS servers for any addresses outside of the local network.

[snip]

An internal fully qualified domain name (FQDN) for an instance looks like this:

hostName.c.[PROJECT_ID].internal

You can always connect from one instance to another using this FQDN.

Otherwise, if you want to serve up entirely arbitrary records to a set of machines, you’ll need to serve those records yourself (perhaps using Cloud DNS). In this case, you’d need to reconfigure the resolv.conf file on those instances appropriately (although you can’t just change the file as you see fit). Note that you can't restrict queries to only your own machines, but as David also mentioned, security through obscurity isn't security at all.