I’ll start by saying that typically I still see private DNS setup in the customer domain rather than in OCI, but recently I had a case where customer wanted OCI to manage specific internal sub-domain which we then used in the OCI Load Balancers.
For that, there was conditional forwarders setup on-premises with a rule that everything for *.private.thatfinnishguy.com would be forwarder to OCI Private DNS Listeners. This enables us to manage the DNS for everything under that sub-domain, in case of Disaster Recovery we would just switch the A record pointing to DR Region Load Balancer.
But in case of DR, the other Region would be down? How would you then resolve the addresses if you have the Private DNS running in Ashburn for example?
One way is to setup multiple DNS listeners in OCI, in both Regions and make sure the forwarding rule points to those listeners. What is important, is that you’ll update the same A records in all Regions you have the listener setup and there isn’t any drift between setups. Right now, the only thing is to do this manually (meaning you can obviously do it with scripting/Terraform/whatever) and there isn’t way to replicate changes further.
The design for this is very simple, similar to diagram below.
I’m assuming setting up the Private DNS listener is familiar, but just as a reminder I’ve written few posts on it earlier:
After I’ve created DNS listener in the VCN, I create new Zone with private.thatfinnishguy.com, add that zone to my new private view and associate that view with VCN resolver. Now any query that is forwarded to my DNS listener will resolve the A records I’ve added.
I replicate the same changes to my secondary Region – in case of DR event I then would have possibility to change my A records pointing to correct resource in the DR region.
Setting up private DNS for OCI is fairly straightforward (and manual!), I would definitely like to see some ways to replicate changes to other Regions, or think on how you do this with Terraform for example. You don’t want to update these records manually each time. In perfect world, this would be fully automated and part of your DR process that A records would get updated.