| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2023-07-07 |
dns-svcs |
{{site.data.keyword.attribute-definition-list}}
{: #frequently-asked-questions}
Have a question about {{site.data.keyword.dns_full}}? Review frequently asked questions, which provide answers to provisioning concerns, application access, and other common inquiries. {: shortdesc}
{: #private-zone} {: faq}
To create your own private DNS zone using {{site.data.keyword.dns_short}}, take the following steps.
- Create a VPC instance.
- Create a {{site.data.keyword.dns_short}} instance.
- Add a DNS zone to the {{site.data.keyword.dns_short}} instance.
- Designate the VPC instance as a permitted network for the DNS zone.
- Add a DNS Resource Record to the DNS zone.
- Verify name resolution of the DNS Resource Record works from within the VPC.
{: #not-for-public} {: faq}
{{site.data.keyword.dns_short}} permits name resolution only from permitted VPCs within your {{site.data.keyword.cloud}} account. The DNS zone is not resolvable from the internet.
{: #publicly-available-dns-records} {: faq}
No, {{site.data.keyword.dns_short}} only offers private DNS at the moment. Use {{site.data.keyword.cis_short_notm}} for public DNS.
{: #dnssec-supported-with-zones} {: faq}
DNSSec allows resolvers to cryptographically verify the data received from authoritative servers. {{site.data.keyword.dns_short}} resolvers support DNSSec for public domains, for which requests are forwarded to public resolvers that support DNSSec. For private zones, since the authority is within {{site.data.keyword.cloud_notm}}, records are fetched using secure protocols, and are guaranteed to have the same level of privacy and security that DNSSec provides for public zones.
{: #is-dns-svcs-global} {: faq}
{{site.data.keyword.dns_short}} is a global service and can be used from permitted networks in any {{site.data.keyword.cloud_notm}} region.
{: #purpose-of-label} {: faq}
A given instance can have multiple DNS zones with the same name. The label helps to differentiate zones with name collisions.
{: #how-many-private-zones-supported} {: faq}
{{site.data.keyword.dns_short}} supports 10 private zones per service instance.
{: #how-many-permitted-networks-supported} {: faq}
{{site.data.keyword.dns_short}} supports 10 permitted networks per DNS zone.
{: #how-many-dns-records-supported} {: faq}
{{site.data.keyword.dns_short}} supports 3500 DNS records per DNS zone.
{: #delete-dns-svcs-instance} {: faq}
To delete a {{site.data.keyword.dns_short}} instance,
- Navigate to the Resource List in the {{site.data.keyword.cloud_notm}} console.
- Click the "overflow" menu
in the final column and select "Delete".
{: #why-cant-i-delete-an-instance} {: faq} {: support}
If a DNS zone has been added to the {{site.data.keyword.dns_short}} instance, the instance cannot be deleted.
{: #why-cant-i-delete-a-zone} {: faq}
If a network has been added to a zone, the zone cannot be deleted until the permitted network is deleted from the zone.
{: #what-if-i-delete-vpc} {: faq}
If the VPC is deleted, the corresponding permitted network will also be deleted from the DNS zones of your instance.
Why can I still resolve my resource records after I deleted its associated zone or permitted network?
{: #why-can-i-resolve-resource-records-after-delete} {: faq}
To maintain a level of performance while resolving DNS queries, DNS Services resolvers cache data related to permitted networks for a period of time. Changes made to a permitted network might not have propagated until the previously cached data expires. See Known limitations for more details.
{: #disabled-custom-resolver-charge} {: faq}
When you disable a custom resolver or a custom resolver location, the underlying appliance is still provisioned and subject to billing. To prevent unwanted charges, delete the custom resolver and custom resolver locations.
{: #zone-states-definitions} {: faq}
The zone states definitions are as follows.
- Pending: When a DNS zone is added to the instance it will be in
Pending. In this state Resource Records can be added, deleted or updated. Since the zone does not have any permitted networks, the zone will not be served by the resolvers in any region. - Active: When a domain has one or more permitted networks added then the domain state changes to
ACTIVEand the domain will be served by the resolver from all the regions. - Disabled: In this state the zone will not be served and all control path operations will be disabled except deleting the zone.
{: #can-i-use-any-name-for-zone} {: faq} {: support}
In general, yes, you can use any name for the zone. Certain IBM-owned or IBM-specific DNS zone names are restricted, in other words, they can't be created in {{site.data.keyword.dns_short}}. See Restricted DNS zone names for the complete list.
{: #can-i-create-2-zones-with-same-name} {: faq}
Creating two DNS Zones with the same name is allowed. Use label and description as described in the following steps to differentiate between the two.
-
Create an instance of {{site.data.keyword.dns_short}}.
-
Create a DNS zone for each environment (for example, production, staging, development, testing). When creating the zone, be sure to include a description indicating what environment the zone is for. The zone name is the same for each zone (for example,
testing.com). A single {{site.data.keyword.dns_short}} instance can only contain 10 zones. {: note} -
Add a zone to the instance of {{site.data.keyword.dns_short}}.
-
In each respective zone, add specific VPCs as permitted networks. For example, for a development VPC, create a permitted network with the development VPC ID in the DNS zone for the development environment. While duplicate zone names are allowed in an account, duplicate zones cannot be associated with a single permitted network. {: note}
-
The result is that traffic from the development VPC only sees records from the development DNS zone and similarly for all the other environments. This way, you can use the same zone name in all environments, with the results tailored to each respective environment.
{: #can-i-add-same-permitted-network-to-two-dns-zones-same-name} {: faq}
No, adding the same permitted network (for example, a VPC) to two DNS zones of the same name is not allowed.
What are the authoritative servers for the {{site.data.keyword.dns_short}} zones? Can I resolve the private DNS zones iteratively?
{: #authoritative-servers-for-dns-zones} {: faq}
Unlike public DNS zones, {{site.data.keyword.dns_short}} does not expose authoritative servers for private DNS zones. Clients must send their recursive DNS queries to the DNS resolvers provided by the service. {{site.data.keyword.dns_short}} does not allow iterative resolution of private DNS zones.
{: #create-dns-zone-same-name-public-dns-zone} {: faq} {: support}
{{site.data.keyword.dns_short}} allows creating a private DNS zone that can have the same name as the public DNS zone. See a detailed explanation of this scenario, referred to as Split Horizon.
{: #load-balancer} {: faq}
See Global load balancers limitations for more information on global load balancer usage.
{: #health-check-types-supported} {: faq}
HTTP and HTTPS health checks are currently supported.
{: #what-regions-health-check-monitoring} {: faq}
Health checks are currently supported in the following regions:
- Dallas (us-south)
- Washington, D.C. (us-east)
- London (eu-gb)
- Frankfurt (eu-de)
- Osaka (jp-osa)
- Tokyo (jp-tok)
- Toronto (ca-tor)
- Sydney (au-syd)
- Sao Paulo (br-sao)
{: #disable-health-check-monitoring-to-origin} {: faq}
You can disable health check monitoring by disabling the origin.
{: #upgrade-plan-free-standard} {: faq}
- Navigate to the Resource List in the {{site.data.keyword.cloud_notm}} console.
- Select the instance of {{site.data.keyword.dns_short}} you want to upgrade.
- Select Plan from the navigation menu.
- Select Standard DNS from the plan table.
- Click Save and then click OK when prompted to verify 'Are you sure that you want to change plans?'.
See Update DNS Services instances to update to the standard plan using the command-line interface.
{: #where-do-i-find-cost-estimates-for-dns-svcs} {: faq} {: support}
You can estimate the cost of a service using the cost estimator on the provisioning pages for {{site.data.keyword.dns_short}} offerings. For example, log in to the {{site.data.keyword.dns_short}} console and click Estimate costs in the Summary panel. As you complete the form, cost estimates appear in the Summary side panel.
Why am I getting timeout errors for my DNS queries from my VPC when my query rate is more or less than the noted rate limit?
{: #dns-query-rate-limit} {: faq}
The noted DNS queries per second per availability zone rate limit is currently the typical amount when using {{site.data.keyword.dns_short}} resolvers from a VPC. Depending on how traffic is actually routed, what protocols the queries use, and other factors, the actual rate limit might vary around this number. After a DNS query rate exceeds this rate limit, {{site.data.keyword.dns_short}} resolvers no longer respond to the excess DNS queries.
{: #why-custom-resolver-request-response-count-low}
DNS Services platform metrics counts DNS queries to custom resolvers in two ways: DNS requests, and cache hits and misses. When a DNS query is first received by the custom resolver location it counts that query towards the DNS requests total. Subsequent queries made before the TTL is reached are counted towards the cache hits and misses total. For example if 100 queries are made in rapid succession for a given domain, the DNS requests count would be 1 and the cache hits count would be at 99.
If you want view the total request count you can do one of the following:
- Combine the DNS requests and cache hits
- Combine the cache hits and misses
- View the cache requests metric
{: #why-custom-resolver-metrics-show-period}
The custom resolver metric only shows the zone name for queries that are made for zones that have forwarding rules established. Queries for any other zones result in a zone name of .