How VPC Private DNS Powers Secure, Scalable Cloud Networks

Background

In today’s increasingly complex cloud computing and network architecture, a VPC (Virtual Private Cloud) provides an isolated network environment that offers a secure, controllable runtime space for services. VPC private DNS serves as the “navigation system” within the VPC, converting domain names to IP addresses and ensuring reliable communication, service discovery, and secure access inside the private network.

Core Definition

VPC private DNS is a DNS resolution service designed specifically for VPC environments. It runs inside the VPC and handles private domain name resolution requests. Unlike public DNS, VPC DNS is visible only to resources within the same VPC, mapping private domain names (e.g., VM or container names, database domains, load‑balancer domains) to their private IP addresses, thus simplifying intra‑network communication.

Key Features

1. Private Domain Management

Users can create multiple private domains, add resolution records, associate domains with one or more VPCs, and map domains to IP resources. Initially supports A records; future support includes AAAA, CNAME, PTR, MX, SRV, etc.

2. Recursive Resolution

The service provides recursive DNS resolution for VPC endpoints, forwarding unresolved queries to public DNS servers when necessary. The default DNS server address is 169.254.169.1.

3. Cooperation with Public DNS

When a VPC resource needs to resolve an external domain (e.g., www.google.com), VPC DNS first checks its cache, then forwards the request to a public DNS server if the record is not cached, returning the result to the requester.

Core Advantages

Improved Network Security: Private domain isolation and access control reduce exposure risk.

Enhanced Architectural Flexibility: Custom domains and dynamic resolution adapt to business changes.

Simplified Operations: Eliminates reliance on static IPs, reducing configuration complexity and human error.

Service Availability: Redundant architecture and failover ensure uninterrupted DNS service.

Hybrid‑Cloud Compatibility: Seamlessly bridges private and public networks for complex architectures.

Solution Design

The overall solution is illustrated below.

Key points:

Multiple clusters share metadata subnet 169.254.169.0/24 as the DNS server network, avoiding extra IP consumption.

VPC DNS is stateless, storing records in memory without a database.

FNAT gateway handles DNS traffic, eliminating the need for dedicated network devices.

Data Flow

Data flow steps:

Configure VPC subnets with DNS server 169.254.169.1.

Instances obtain DNS server IP via DHCP (/etc/resolv.conf).

Instance queries are sent to 169.254.169.1, forwarded by FNAT gateway to VPC DNS.

VPC DNS checks local cache; on miss, it recursively queries upstream Ultron DNS, then IDC DNS if needed.

Response is returned to the instance through the same path.

Control Flow

Create Subnet

User creates a subnet on the HULK platform.

HULK calls Ultron, which creates the subnet via Neutron and sets dns_nameservers to 169.254.169.1.

Ultron creates an FNAT gateway load balancer, binding VIP 169.254.169.1:53 and RS 169.254.169.1:53, and configures forwarding rules.

Add Domain Record

User adds a domain record on HULK.

HULK calls Ultron, which creates the record.

Ultron invokes VPC DNS to store the record in memory.

Application Scenarios

Internal Access Hijacking

By creating private domains and mapping them to specific resources, VPC DNS can return predefined responses for internal requests, enabling controlled traffic redirection.

Cloud Service Resource Management

Private domains can be used to manage VM hostnames, load balancers, pods, etc., providing intuitive naming within the VPC while keeping names inaccessible from outside.

Resource Inter‑Visit

Deploying a custom DNS that forwards to VPC DNS enables mutual DNS access between private services and VPC resources.

Resource Switching

When a server’s private IP changes, updating the corresponding private domain record avoids code changes, simplifying high‑availability deployments.

Subsequent Work

Security Isolation & Access Control

VPC DNS resolves only within the VPC; private domains are invisible to public DNS, preventing external probing. Combined with ACLs and security groups, access can be tightly restricted.

High Availability & Redundancy

Adopting a distributed, multi‑node architecture with VIP health‑check mechanisms ensures automatic failover and continuous DNS service.

Conclusion

VPC private DNS provides recursive DNS resolution for instances inside a VPC, supporting scenarios such as internal hijacking, cloud resource management, inter‑visit, and seamless resource switching. Proper configuration of domain rules, access permissions, and redundancy strategies is essential to leverage its core value for stable, secure network operations.