DNS in Oracle Cloud Infrastructure

What is OCI DNS?

  • A service to:
    • Create DNS zones.
    • Add records to DNS zones.
    • Allow OCI edge network to handle your domain’s DNS queries.

Components of OCI DNS

  • Domain: A location on the internet, e.g., oracle.com.
  • Zone:
    • A portion of the DNS namespace.
    • Defined by a Start of Authority (SoA) record.
    • Contains all labels under it in the DNS tree.
  • Label:
    • Subdomain = Label + Dot (.) + Zone Name
    • Examples:
      • “www” in “www.google.com”
      • “docs” & “cloud” in “docs.cloud.oracle.com”
    • Records are associated with subdomains.
  • Child Zone:
    • Independent subdomain with its own Start of Authority (SoA) & Name Server (NS) records.
    • Parent of child zone has NS records that refer DNS queries to child’s name servers.
  • Resource Record:
    • Contains specific domain information (called record data (RDATA)) for a zone.
    • Examples:
      • RDATA of A & AAAA records contain an IP address for a domain name.
      • RDATA of MX records contain information about the mail server for a domain.
  • Delegation: Name servers where your DNS is hosted & managed.

Limits of OCI DNS

  • 1K zones per account.
  • 25K records per zone.
  • Max 1 MB per zone file for zone file uploads.

Reverse DNS Zones

Reverse DNS (rDNS) maps IP to hostname. Use cases:

  • Add labels for tools like traceroute.
  • Populate the “Received” header of an SMTP email.
  • Check for generic rDNS like 1-2-3-4.example.com to identify spammers.
  • Verify relation between domain owner & server (IP) owner.
  • Write human-readable hostname to logs.
  • Determine affected hostname when maintenance is performed on an IP.

Resource Record Types Supported by OCI DNS

  • A: An address record. Points a hostname to an IPv4 address.
  • AAAA: An address record. Points a hostname to an IPv6 address.
  • ALIAS: A private pseudo-record. Allows CNAME functionality at the apex of a zone.
  • CAA: Certification Authority Authorization. Specifies CAs authorized to issue certificates for the domain.
  • CDNSKEY: A Child DNSKEY moves a CDNSSEC key from a child zone to a parent zone.
  • CDS: Child Delegation Signer. Child copy of a DS record, for transfer to a parent zone.
  • CERT: A Certificate record. Stores public key certificates & related certificate revocation lists.
  • CNAME: Canonical Name. Identifies the canonical name of a domain.
  • CSYNC: Child-to-Parent Synchronization. Syncs records from child to parent zone.
  • DHCID: DHCP Identifier. Stores DHCP client identifiers to eliminate potential hostname conflicts within a zone.
  • DKIM: Domain Keys Identified Mail. A special TXT record. Supplies a public key used to authenticate arriving mail for a domain.
  • DNAME: Delegation Name. Similar to CNAME. Maps an entire subtree beneath a label to another domain.
  • DNSKEY: Documents public keys used for DNSSEC.
  • DS: Delegation Signer. Resides at TLD. Points to child’s DNSKEY. Created when DNSSEC security authentication is added to the zone.
  • IPSECKEY: Stores public keys for a host, network, or application to connect to IPSec systems.
  • KEY: Stores a public key associated with a domain name. Used by SIG and TKEY.
  • KX: Key Exchanger. Identifies a key management agent for domain with some cryptographic systems.
  • LOC: Location. Stores geographic location data of computers, subnets, and networks.
  • MX: Mail Exchanger. Defines the mail server accepting mail for the domain. Must point to a hostname. Must not point to a CNAME or IP.
  • NS: Name Server. Lists authoritative nameservers for a zone.
  • PTR: Pointer. Maps IP to hostname. Opposite to A record.
  • PX: Used in X.400 mapping protocols.
  • SOA: Start of Authority. Specifies authoritative information about a zone, including:
    • Primary name server.
    • Domain admin’s email.
    • Domain serial number.
    • Timers relating to refreshing the zone.
  • SPF: Sender Policy Framework. A special TXT record. Stores data designed to detect email spoofing.
  • SRV: Service Locator. Allows using several servers for single domain.
  • SSHFP: SSH Public Key Fingerprint. Publishes SSH public host key fingerprints.
  • TLSA: TLS Authentication. Associates TLS certificate or public key with domain.
  • TXT: Holds descriptive, human readable text. Sometimes includes non-human readable content for specific uses. Used for SPF & DKIM.

HTTP Redirects

Use HTTP Redirect service to redirect:

  • One zone to another: example.net to example.com.
  • Subdomain to URL: test.example.com to example.net/test.
  • Subdomain to URL with port: camera.example.com to office.example.com:8080.
  • Permanently redirect deprecated domain: HTTP 301.