About DNS Services
To better understand IBM Cloud® DNS Services, it helps to know more about DNS in general.
DNS overview
Computers on a network can find one another by IP addresses. To make it easier to work within a computer network, people can use a Domain Name System (DNS) to associate human-friendly domain names with IP addresses, similar to a phonebook. A DNS can also associate other information beyond just computer network addresses to domain names.
That way, people can use human friendly domain names instead of obscure, hard-to-remember, machine-oriented data.
DNS Services overview
DNS Services allow you to
- Create private DNS zones that are collections for holding domain names.
- Create DNS resource records under these DNS zones.
- Specify access controls used for the DNS resolution of resource records on a zone-wide level.
DNS Services also maintains its own worldwide set of DNS resolvers. Instances that are provisioned under IBM Cloud on an IBM Cloud network can use resource records that are configured through IBM Cloud DNS Services by querying DNS Services resolvers.
Resource records and zones that are configured through DNS Services are
- Separated from the wider, public DNS and their publicly accessible records.
- Hidden from machines outside of and not part of the IBM Cloud private network.
- Accessible only from machines that you authorize on the IBM Cloud private network.
- Resolvable only via the resolvers provided by the service.
Clock synchronization
ISO 27001 requires that clocks of all relevant information processing systems within an organization or security domain must be synchronized with a single reference time source. DNS Services synchronizes the systems with Network Time Protocol (NTP) servers to ensure that all time-based activities occur synchronously everywhere on the network.
IBM DNS Services uses the following internal NTP servers:
time.adn.networklayer.comsystemd-timesyncd.service
Resolving DNS names with DNS Services
As an example, consider that a DNS zone example.com is created in your DNS instance, and a resource record for www has been defined as shown in Figure 1. Also consider that a VPC 1 has been added to the DNS zone as
a permitted network.
When the DNS Services server receives a name resolution request for www.example.com from a client in VPC 1, the DNS Services resolver determines that the request originated from a VPC that is a permitted network for the example.com DNS zone, and resolves the name www.example.com to the IP 10.0.0.1.
If the name resolution request for www.example.com originated from a client in VPC 2 that is not added as a permitted network to example.com, the request is forwarded to a public DNS server, and the response
from public DNS server is returned to the VPC client. The scenario is referred to as a Split Horizon, where the same hostname, which is defined in both a private DNS zone and a public DNS zone, can be resolved to different IPs depending on
where the DNS name resolution request originated.
DNS Services ensures a level of privacy for information that is specified in your zones and resource records.
DNS Services is private only. For provisioning and configuring DNS records for public DNS resolution, refer to IBM Cloud Internet Services (CIS).
Limits
DNS Services has limits in some areas, which are noted in the following table.
| Item | Limitation |
|---|---|
| DNS zones | 10 per service instance |
| DNS records | 3500 per DNS zone |
| Permitted networks | 10 per DNS zone |
| Global load balancers | 25 per DNS zone |
| DNS queries per second | 1000 per availability zone |
DNS Services Supported Regions
| Region | Data replication region | Health check region | Permitted networks |
|---|---|---|---|
| Dallas (us-south) |  |
|
|
| Washington, D.C. (us-east) | |
|
|
| London (eu-gb) | |
|
|
| Frankfurt (eu-de) | |
|
|
| Madrid (eu-es) | |
|
|
| Osaka (jp-osa) | |
|
|
| Tokyo (jp-tok) | |
|
|
| Toronto (ca-tor) | |
|
|
| Sydney (au-syd) | |
|
|
| Sao Paulo (br-sao) | |
|
|