Configuring remote resolvers - BlueCat Cloud Resolver - 1.5.0

BlueCat Cloud Resolver Administration Guide
Locale
English
Product name
BlueCat Cloud Resolver
Version
1.5.0

Within the Cloud Resolver configuration file, the CRS_CONFIGURATION_ZONE value is a private DNS zone that you can optionally configure to provide Cloud Resolver with access to the two types of remote resolvers. The default value is cloudresolver.config.

If you are configuring remote resolvers, set the value to the zone name in your cloud provider. The zone must exist in the cloud environment that Cloud Resolver can discover and it must contain at least one TXT record that defines a remote resolver. The remote resolver TXT record definition must contain the following:

AWS function resolvers

  • Name—the record name must contain the VPC resource ID, followed by .cloudresolver.config. The format is as follows:
    <vpc_id>.cloudresolver.config
  • Record data—the record data must be in a specific format containing the VPC resource ID, and a key-value pair that identifies the remote resolver. The format is as follows:
    "<dns|arn>=<socket_address_of_dns_server|Lambda_arn>"
    Where the values are as follows:
    • <vpc_id>—the cloud provider-assigned ID of the VPC that the remote resolver has DNS access to.
    • <dns|arn>—specify dns if you are entering the IP address of a DNS server or arn if you are entering the ARN of a function resolver.
    • <socket_address_of_dns_server|Lambda_arn>—specify the IP address of the DNS server in the format <ip_address>:<port> if you specified dns as the key, or specify the ARN of the Lambda that will resolve queries if you specified arn as the key.
    For example, 
    "aaaa-bbbb-cccc-dddd dns=1.2.3.4:53"
    or
    "aaaa-bbbb-cccc-dddd arn=abcde01234"

Azure remote resolvers

  • Name—the record name must contain the subscription ID, resource group ID, and virtual network name. The format is as follows:
    <vpc_id>.<resource_group_id>.<virtual_network_name>
  • Record data—the record data must be in a specific format containing the VPC resource ID, and a key-value pair that identifies the remote resolver. The format is as follows:
    "dns=<socket_address_of_dns_server>"
    Where the values are as follows:
    • <socket_address_of_dns_server>—specify the IP address of the DNS server in the format <ip_address>:<port>.
    For example, 
    "dns=1.2.3.4:53"
Note: One remote resolver can be specified per TXT record; however, multiple TXT records can be defined in the configuration zone.

Once you have configured the TXT record for each remote resolver, Cloud Resolver accesses these records using the given cloud provider's web API so that the zone can be made private. Cloud Resolver attempts to parse each TXT record defined in the configuration zone. If any TXT records do not conform to the required format, an error message is returned. The configuration zone's contents can be updated at any time and Cloud Resolver consumes the new data upon the next discovery; Cloud Resolver does not need to be restarted.

Once the configuration zone has been created and populated, the following resources are required:
  • The private DNS zone must be in a discoverable tenant.
  • You must have a link between that private DNS zone and a network in an undiscoverable tenant.
  • You must have records in the private DNS zone for the VMs in the undiscoverable tenant.