diff --git a/doc/source/admin/config-dns-res.rst b/doc/source/admin/config-dns-res.rst index cf5150f41f6..eedc61d430f 100644 --- a/doc/source/admin/config-dns-res.rst +++ b/doc/source/admin/config-dns-res.rst @@ -1,21 +1,27 @@ .. _config-dns-res: -============================= -Name resolution for instances -============================= +============================ +DNS resolution for instances +============================ The Networking service offers several methods to configure name resolution (DNS) for instances. Most deployments should implement -case 1 or 2. Case 3 requires security considerations to prevent +case 1 or 2a. Case 2b requires security considerations to prevent leaking internal DNS information to instances. +.. note:: + All of these setups require the configured DNS resolvers to be reachable + from the virtual network in question. So unless the resolvers are located + inside the virtual network itself, this implies the need for a router to + be attached to that network having an external gateway configured. + Case 1: Each virtual network uses unique DNS resolver(s) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In this case, the DHCP agent offers one or more unique DNS resolvers to instances via DHCP on each virtual network. You can configure a DNS resolver when creating or updating a subnet. To configure more than -one DNS resolver, use a comma between each value. +one DNS resolver, repeat the option multiple times. * Configure a DNS resolver when creating a subnet. @@ -69,51 +75,62 @@ one DNS resolver, use a comma between each value. .. note:: When DNS resolvers are explicitly specified for a subnet this way, that - setting will take precedence over the options presented in case 2 and 3. + setting will take precedence over the options presented in case 2. -Case 2: All virtual networks use same DNS resolver(s) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Case 2: DHCP agents forward DNS queries from instances +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -In this case, the DHCP agent offers the same DNS resolver(s) to -instances via DHCP on all virtual networks. +In this case, the DHCP agent offers the list of all DHCP agent's IP addresses +on a subnet as DNS resolver(s) to instances via DHCP on that subnet. -* In the ``dhcp_agent.ini`` file, configure one or more DNS resolvers. To - configure more than one DNS resolver, use a comma between each value. +The DHCP agent then runs a masquerading forwarding DNS resolver with two +possible options to determine where the DNS queries are sent to. - .. code-block:: ini +.. note:: + The DHCP agent will answer queries for names and addresses of instances + running within the virtual network directly instead of forwarding them. - [DEFAULT] - dnsmasq_dns_servers = DNS_RESOLVER +Case 2a: Queries are forwarded to an explicitly configured set of DNS resolvers +------------------------------------------------------------------------------- - Replace ``DNS_RESOLVER`` with the IP address of a DNS resolver reachable - from all virtual networks. For example: +In the ``dhcp_agent.ini`` file, configure one or more DNS resolvers. To +configure more than one DNS resolver, use a comma between the values. - .. code-block:: ini +.. code-block:: ini - [DEFAULT] - dnsmasq_dns_servers = 203.0.113.8, 198.51.100.53 + [DEFAULT] + dnsmasq_dns_servers = DNS_RESOLVER - .. note:: +Replace ``DNS_RESOLVER`` with a list of IP addresses of DNS resolvers reachable +from all virtual networks. For example: - You must configure this option for all eligible DHCP agents and - restart them to activate the values. +.. code-block:: ini -Case 3: All virtual networks use DNS resolver(s) on the host -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + [DEFAULT] + dnsmasq_dns_servers = 203.0.113.8, 198.51.100.53 -In this case, the DHCP agent offers the DNS resolver(s) in the -``resolv.conf`` file on the host running the DHCP agent via DHCP to -instances on all virtual networks. +.. note:: -* In the ``dhcp_agent.ini`` file, enable advertisement of the DNS resolver(s) - on the host. + You must configure this option for all eligible DHCP agents and + restart them to activate the values. - .. code-block:: ini +Case 2b: Queries are forwarded to DNS resolver(s) configured on the host +------------------------------------------------------------------------ - [DEFAULT] - dnsmasq_local_resolv = True +In this case, the DHCP agent forwards queries from the instances to +the DNS resolver(s) configured in the +``resolv.conf`` file on the host running the DHCP agent. This requires +these resolvers being reachable from all virtual networks. - .. note:: +In the ``dhcp_agent.ini`` file, enable using the DNS resolver(s) configured +on the host. - You must configure this option for all eligible DHCP agents and - restart them to activate the values. +.. code-block:: ini + + [DEFAULT] + dnsmasq_local_resolv = True + +.. note:: + + You must configure this option for all eligible DHCP agents and + restart them to activate this setting.