Using a hidden primary with OCI DNS

Using secondary domain name server (DNS) on Oracle Cloud Infrastructure (OCI) with a hidden primary configuration can offer some useful benefits in the management and security for your zones in the DNS. Typically, a hidden primary configuration is one where the management of the zones (configured as primary) is performed at your on-premises environment where companies commonly manage their external DNS through their DNS, DHCP, and IP address management (IPAM), or DDI, appliance. The zones on OCI DNS are configured as secondary, receiving updates from the on-premises primary through DNS NOTIFY and zone transfers. The hidden part comes into play with the nameserver delegation chain.

OCI DNS as a secondary configuration

In a hidden primary, only the nameservers for the zones configured as secondary (in this example on OCI) are in the delegation. By doing so, from the internet's perspective, only the OCI nameservers are visible. No concept of the DNS servers for the on-premises primary where you're managing the zones exists. The main benefit to configure your DNS in this way is that you maintain the ability and comfort of managing the DNS how you're used to with on-premises and DDI.

However, all DNS queries for your zones go to OCI's DNS edge to be resolved and not directed at your on-premises DNS server. OCI's DNS edge is globally anycast, consisting of nearly 40 points of presence, which provides the ability to remain performant, highly available, and able to elegantly handle large volumes of traffic. OCI is equipped to handle malicious attacks targeted at the DNS, such as DDOS attacks. OCI's edge is well-equipped to respond to, identify, and mitigate these attacks over having that attack traffic hit an on-premises environment, where usually it's a unicast location, and the impact of an attack there would be quite severe.

Hidden primary with multiple DNS providers

For users looking to keep redundancy in the authoritative DNS, the hidden primary configuration is completely viable have two DNS providers configured as secondary off your hidden primary DNS. Instead of adding one set of nameservers in delegation, you add both DNS providers, which are configured as secondary, while keeping your primary on-premises DNS hidden. In general, configuring the secondary DNS stays in sync with your primary through DNS mechanisms like DNS NOTIFY, IXFR/AXFR zone transfers, and SOA values to guide when the secondary DNS checks for updates.

Key points for creating a hidden primary using OCI

Keep the following factors in mind when creating your hidden primary in OCI:

• Your primary DNS nameservers should not be in delegation at the registrar. Ensure that the OCI nameservers are the only ones defined.
• Create the zone on your primary DNS. Whether creating a zone or using an existing zone, ensure that the OCI nameservers are the only nameservers defined in the apex of the zone, so that your primary nameservers are hidden.
• OCI DNS supports TSIG keys, so you can secure the communication between primary and secondary DNS.

Conclusion

Overall, running a hidden primary configuration is a great way to utilize secondary DNS with OCI's global anycast DNS edge. In doing so, you gain all the benefits that come with it, such as low-latency responses, high availability, and letting OCI handle any DDOS attacks, while still maintaining control and management of your zones through your on-premises or DDI environment.

To learn more about secondary DNS on OCI, visit the Secondary DNS documentation. To learn more about OCI and the DNS offering, see Domain Name System (DNS). To get started implementing your DNS on Oracle Cloud Infrastructure, see the Public DNS documentation.

Public link

Please use the above public link if you want to share this noodl on another website.