Demonstrate knowledge of OCI DNS and Traffic Steering

Contents

  1. 1 Summary
  2. 2 Reference
  3. 3 OCI DNS Management
    1. 3.1 Public DNS and Related Functionality
      1. 3.1.1 OCI Public DNS: Key Benefits
      2. 3.1.2 Exporting and Importing Zones
    2. 3.2 Private DNS
      1. 3.2.1 Internal and Private DNS
      2. 3.2.2 Private DNS: Private Views
      3. 3.2.3 Private DNS: Endpoints
      4. 3.2.4 Private DNS: Rules
      5. 3.2.5 Private DNS: Best Practices
    3. 3.3 DNS Resolver
    4. 3.4 Virtual Cloud Network DNS
  4. 4 Traffic Steering
    1. 4.1 Traffic Management Steering Policies
    2. 4.2 Traffic Management: Types of Steering Policies
    3. 4.3 Use Cases
    4. 4.4 Traffic Management: Concepts
    5. 4.5 Health Checks
    6. 4.6 HTTP Redirects

Summary

OCI DNS is divided between public and private domains. Traffic management allows the customer to shape DNS answers.

Reference

OCI DNS Management

OCI Public DNS: Key Benefits

  • Provides Authoritative DNS service functionality for public DNS zones
  • Support for OCI, other CSP endpoints (AWS, Azure) and private assets
  • Consistently lowest query latency performance
  • Industry leading propagation time to ensure fast response to DNS change
  • Served via anycast from OCI's global commercial regions
  • Supports import in standard BIND zone data format
  • OCI for Primary and Secondary DNS
    • Hosting a customer's public DNS domains entirely in OCI
  • OCI for Primary OR Secondary DNS
    • Provides fault tolerance for a customer's public DNS zones on-prem or with other providers
  • DDoS protection built-in
  • Most standards-compliant DNS platform

Exporting and Importing Zones

  • Exporting a zone is possible only by using the OCI CLI
  • When importing, the format is critical. The BIND file format is the industry preferred zone file format and has been widely adopted by DNS server software.
  • The format is defined in RFC 1035

Private DNS

Internal and Private DNS

  • A private DNS resolver allows resolution of local, internal resources that have custom domain names. The domain names do not need to be subdomains of oraclevcn.com, as with the default Internet and VCN Resolver
  • You can specify a DNS label when creating VCN and subnets and launching a host
    • VCN Domain Name: <VCN DNS label>.oraclevcn.com
    • Subnet Domain Name: <subnet DNS label>.<VCN DNS label>.oraclevcn.com
    • Instance FQDN: <hostname>.<subnet DNS label>.<VCN DNS label>.oraclevcn.com
  • Instance FQDN resolves to the instance's Private IP address
  • No automatic creation for Public IP addresses
  • Continuation of VCN DNS capabilities
  • Available at 169.254.169.254
  • By default, resolves:
    • oraclevcn.com names within a VCN
    • DNS names on the Internet
  • Adds support for:
    • Private Zones and Views
    • Endpoints
    • Rules

Private DNS: Private Views

  • It allows hosting of custom DNS zones
  • Create custom DNS records in custom zone
    • Automatically created DNS records still land in protected DNS zone for subnet in oraclevcn.com
    • Not possible to assign custom zone to subnet
  • Customzones can be shared by multiple VCNs in the same region
  • Private DNS hosts all data for zone
    • Cannot delegate subzones
    • Cannot be secondary to zone hosted by non-Private DNS server
    • Cannot have non-Private DNS secondary server

Private DNS: Endpoints

  • Endpoints attach Private DNS resolvers to a subnet in a VCN
  • Listening Endpoints recieve requests from clients and remote DNS servers
  • Forwarding Endpoints are used to send requests to remote DNS servers
  • There must be connectivity between the endpoint and relevant clients or servers
    • Use DRGs for cross-VCN connectivity
    • Be mindful of overlapping VCN CIDR ranges
    • Traffic must be permitted by security lists

Private DNS: Rules

  • Directs requests to a remote DNS resolver
    • Used only if resolver is not authorative
    • Remote DNS server could be in another VCN or on-prem
  • Up to 10 rules direct DNS zone to remote Servers

Private DNS: Best Practices

  • Within a VCN, always use 169.254.169.254, optionally with forwarding rules
  • Consider a dedicated subzone for resources in OCI, for example. oci.customer.co or us-phoenix-1.oci.customer.com
  • Be mindful of reverse DNS zones and resolution, to include Private Zones and fowarding rules

DNS Resolver

Internet and VCN resolver:
This is the default choice. It is an Oracle-provided option that includes two parts:
Internet Resolver:
Lets instances resolve host names that are publicly published on the Internet
VCN Resolver:
Lets instances resolve host names (which you can assign) of other instances in the same VCN
Custom resolver:
Use DNS servers of your choice for resolution (maximum three). They could be DNS servers that are:
  • Available on the Internet, for example, 216.146.35.35 for Dyn's Internet Guide
  • In your VCN
  • In your on-premises network, which is connected to your VCN by way of FastConnect or VPN Connect (through a DRG)
OCI Private DNS Services
Ability to set up a hybrid DNS solution to resolve names in other VCNs in the same region or other region, as well as in on-premises

Virtual Cloud Network DNS

  • One DNS Resolver for each VCN
    • Possible to create VCNs with DNS disabled
  • Available at 169.254.169.254
  • Resolves oraclevcn.com names within a VCN
  • Resolves DNS names on the Internet

Traffic Steering

Traffic Management Steering Policies

  • Traffic Management enables customers to configure routing policies for serving intelligent responses to DNS queries
  • Different answers can be served for a query according to the logic in the customer-defined Traffic Management Steering Policy, thus sending users to the most optimal location in your infrastructure.

Traffic Management: Types of Steering Policies

Load Balancer
Distributes traffic over several servers
Failover
Redirects traffic when primary is unavailable
Geolocation
Routes traffic based on geographic conditions
ASN
Routes traffic based on originating ASN number
IP Prefix
Routes traffic based on originating IP prefix

Use Cases

  • Failover
    • Primary asset is monitored from multiple points via Oracle Health Checks
    • Traffic is automatically directed to a different endpoint as soon as service fails to respond
    • Monitoring is powered by Oracle Health Checks
  • Cloud Migration
    • Use Ratio Load Balancing to migrate fractions of traffic to new cloud-hosted resources and test and validate access
    • Gradually migrate more traffic when confident in user experience
  • Load Balancing for Scale
    • For scaling, distribute load across multiple compute instances
    • Leverage Oracle Health Checks to ensure users are sent to healthy endpoints
  • Hybrid Environments

    • Distribute requests across datacentres, regions, and cloud providers.

  • Worldwide Geolocation Steering
    • Specify which endpoint a user will be steered to based on their location
    • Slect from predefined regions, such as US East or US West, customize regions
    • Combine with Oracle Health Checks to fail over from region to another
  • Canary Testing

    • Limit access to new/beta features before rolling out for General Availability

  • IP-Based Steering
  • Zero-Rating Service

    • Conditional steering can be based on the originating enterprise, mobile operator, or other communications provider. Preferred ASNs can be directed to free resources, whereas all other traffic can be directed to paid resources.

Traffic Management: Concepts

Steering Policies:
A framework to define the traffic management behaviour for your zones. Steering policies contain rules that help to intelligently serve DNS answers.
Attachments:
Enables you to link a steering policy to your zones. An attachment of a steering policy to a zone occludes all records at its domain that are of a covered record type, constructing DNS responses from its steering policy rather than from those domain's records. A domain can have at most one attachment covering any given record type.
Rules:
The guidelines steering policies use to filter answers based on the properties of a DNS request, such as the geolocation of the request or the health of your endpoints.
Answers:
Contain the DNS record data and metadata to be processed in a steering policy.

Health Checks

Performance (latency) and availability are measured from Vantage Points all around the globe. Public IP addresses and FQDN are the targets for measuring. Endpoints are measured throughout OCI and the hybrid infrastructure. The measurements are down through either PING or HTTP requests.

Failures are handled through DNS Traffic Management to initiate failover.

HTTP Redirects

Redirection can be achieved through either DNS ALIAS or HTTP redirect (301).