Within the Cloud Resolver configuration file, the CRS_CONFIGURATION_ZONE
value is a private DNS zone that you can optionally configure to provide Cloud Resolver
with access to the two types of remote resolvers. The default value is
cloudresolver.config.
If you are configuring remote resolvers, set the value to the zone name in your cloud provider. The zone must exist in the cloud environment that Cloud Resolver can discover and it must contain at least one TXT record that defines a remote resolver. The remote resolver TXT record definition must contain the following:
AWS function resolvers
- Name—the record name must contain the VPC resource ID, followed by
.cloudresolver.config
. The format is as follows:<vpc_id>.cloudresolver.config
- Record data—the record data must be in a specific format containing
the VPC resource ID, and a key-value pair that identifies the remote
resolver. The format is as
follows:
"<dns|arn>=<socket_address_of_dns_server|Lambda_arn>"
Where the values are as follows:<vpc_id>
—the cloud provider-assigned ID of the VPC that the remote resolver has DNS access to.<dns|arn>
—specifydns
if you are entering the IP address of a DNS server orarn
if you are entering the ARN of a function resolver.<socket_address_of_dns_server|Lambda_arn>
—specify the IP address of the DNS server in the format<ip_address>:<port>
if you specifieddns
as the key, or specify the ARN of the Lambda that will resolve queries if you specifiedarn
as the key.
For example,"aaaa-bbbb-cccc-dddd dns=1.2.3.4:53"
or"aaaa-bbbb-cccc-dddd arn=abcde01234"
Azure remote resolvers
- Name—the record name must contain the subscription ID, resource group
ID, and virtual network name. The format is as
follows:
<vpc_id>.<resource_group_id>.<virtual_network_name>
- Record data—the record data must be in a specific format containing
the VPC resource ID, and a key-value pair that identifies the remote
resolver. The format is as
follows:
"dns=<socket_address_of_dns_server>"
Where the values are as follows:<socket_address_of_dns_server>
—specify the IP address of the DNS server in the format<ip_address>:<port>
.
For example,"dns=1.2.3.4:53"
Once you have configured the TXT record for each remote resolver, Cloud Resolver accesses these records using the given cloud provider's web API so that the zone can be made private. Cloud Resolver attempts to parse each TXT record defined in the configuration zone. If any TXT records do not conform to the required format, an error message is returned. The configuration zone's contents can be updated at any time and Cloud Resolver consumes the new data upon the next discovery; Cloud Resolver does not need to be restarted.
- The private DNS zone must be in a discoverable tenant.
- You must have a link between that private DNS zone and a network in an undiscoverable tenant.
- You must have records in the private DNS zone for the VMs in the undiscoverable tenant.