How do I create my own private DNS zone using DNS Services?

To create your own private DNS zone using DNS Services, take the following steps.

1. Create a VPC instance.
2. Create a DNS Services instance.
3. Add a DNS zone to the DNS Services instance.
4. Designate the VPC instance as a permitted network for the DNS zone.
5. Add a DNS Resource Record to the DNS zone.
6. Verify name resolution of the DNS Resource Record works from within the VPC.

How is DNS Services different from public DNS?

DNS Services permits name resolution only from permitted VPCs within your IBM Cloud® account. The DNS zone is not resolvable from the internet.

Can I manage publicly available DNS records with this service?

No, DNS Services only offers private DNS at the moment. Use CIS for public DNS.

Is DNSSec supported with zones managed by DNS Services?

DNSSec allows resolvers to cryptographically verify the data received from authoritative servers. DNS Services resolvers support DNSSec for public domains, for which requests are forwarded to public resolvers that support DNSSec. For private zones, since the authority is within IBM Cloud, records are fetched using secure protocols, and are guaranteed to have the same level of privacy and security that DNSSec provides for public zones.

Is DNS Services regional or global?

DNS Services is a global service and can be used from permitted networks in any IBM Cloud region.

When creating a DNS zone, what is the purpose of the Label field?

A given instance can have multiple DNS zones with the same name. The label helps to differentiate zones with name collisions.

How many private zones are supported?

DNS Services supports 10 private zones per service instance.

How many permitted networks are supported?

DNS Services supports 10 permitted networks per DNS zone.

How many DNS records are supported?

DNS Services supports 3500 DNS records per DNS zone.

How do I delete my DNS Services instance?

To delete a DNS Services instance,

• Navigate to the Resource List in the IBM Cloud console.
• Click the "overflow" menu in the final column and select "Delete".

Why can't I delete a DNS Services instance?

If a DNS zone has been added to the DNS Services instance, the instance cannot be deleted.

Why can't I delete a DNS zone?

If a network has been added to a zone, the zone cannot be deleted until the permitted network is deleted from the zone.

What happens if I delete my VPC?

If the VPC is deleted, the corresponding permitted network will also be deleted from the DNS zones of your instance.

Why can I still resolve my resource records after I deleted its associated zone or permitted network?

To maintain a level of performance while resolving DNS queries, DNS Services resolvers cache data related to permitted networks for a period of time. Changes made to a permitted network might not have propagated until the previously cached data expires. See Known issues and limitations for more details.

Why am I still being charged for a disabled custom resolver or location?

When you disable a custom resolver or a custom resolver location, the underlying appliance is still provisioned and subject to billing. To prevent unwanted charges, delete the custom resolver and custom resolver locations.

What do the different zone states mean?

The zone states definitions are as follows.

• Pending: When a DNS zone is added to the instance it will be in Pending. In this state Resource Records can be added, deleted or updated. Since the zone does not have any permitted networks, the zone will not be served by the resolvers in any region.
• Active: When a domain has one or more permitted networks added then the domain state changes to ACTIVE and the domain will be served by the resolver from all the regions.
• Disabled: In this state the zone will not be served and all control path operations will be disabled except deleting the zone.

Can I use any name for the zone?

In general, yes, you can use any name for the zone. Certain IBM-owned or IBM-specific DNS zone names are restricted, in other words, they can't be created in DNS Services. See Restricted DNS zone names for the complete list.

Can I create two DNS zones with the same name?

Creating two DNS Zones with the same name is allowed. Use label and description as described in the following steps to differentiate between the two.

1. Create an instance of DNS Services.

2. Create a DNS zone for each environment (for example, production, staging, development, testing). When creating the zone, be sure to include a description indicating what environment the zone is for. The zone name is the same for each zone (for example, testing.com). A single DNS Services instance can only contain 10 zones.

3. Add a zone to the instance of DNS Services.

4. In each respective zone, add specific VPCs as permitted networks. For example, for a development VPC, create a permitted network with the development VPC ID in the DNS zone for the development environment. While duplicate zone names are allowed in an account, duplicate zones cannot be associated with a single permitted network.

5. The result is that traffic from the development VPC only sees records from the development DNS zone and similarly for all the other environments. This way, you can use the same zone name in all environments, with the results tailored to each respective environment.

Can I add the same permitted network (for example, a VPC) to two DNS zones of the same name?

No, adding the same permitted network (for example, a VPC) to two DNS zones of the same name is not allowed.

What are the authoritative servers for the DNS Services zones? Can I resolve the private DNS zones iteratively?

Unlike public DNS zones, DNS Services does not expose authoritative servers for private DNS zones. Clients must send their recursive DNS queries to the DNS resolvers provided by the service. DNS Services does not allow iterative resolution of private DNS zones.

Can I create a DNS zone with same name as a Public DNS zone?

DNS Services allows creating a private DNS zone that can have the same name as the public DNS zone. See a detailed explanation of this scenario, referred to as Split Horizon.

Are there any limits on global load balancer usage?

See Global load balancers limitations for more information on global load balancer usage.

What types of health checks are supported?

HTTP and HTTPS health checks are currently supported.

What regions can I use for health check monitoring?

Health checks are currently supported in the following regions:

• Dallas (us-south)
• Washington, D.C. (us-east)
• London (eu-gb)
• Frankfurt (eu-de)
• Osaka (jp-osa)
• Tokyo (jp-tok)
• Toronto (ca-tor)
• Sydney (au-syd)
• Sao Paulo (br-sao)

How can I disable health check monitoring to the origins?

You can disable health check monitoring by disabling the origin.

How do I upgrade my plan from free to standard?

1. Navigate to the Resource List in the IBM Cloud console.
2. Select the instance of DNS Services you want to upgrade.
3. Select Plan from the navigation menu.
4. Select Standard DNS from the plan table.
5. Click Save and then click OK when prompted to verify 'Are you sure that you want to change plans?'.

See Update DNS Services instances to update to the standard plan using the command-line interface.

Where do I find cost estimates for DNS Services?

You can estimate the cost of a service using the cost estimator on the provisioning pages for DNS Services offerings. For example, log in to the DNS Services console and click Estimate costs in the Summary panel. As you complete the form, cost estimates appear in the Summary side panel.

Why am I getting timeout errors for my DNS queries from my VPC when my query rate is more or less than the noted rate limit?

The noted DNS queries per second per availability zone rate limit is currently the typical amount when using DNS Services resolvers from a VPC. Depending on how traffic is actually routed, what protocols the queries use, and other factors, the actual rate limit might vary around this number. After a DNS query rate exceeds this rate limit, DNS Services resolvers no longer respond to the excess DNS queries.

Why is my custom resolver request and response count so low?

DNS Services platform metrics counts DNS queries to custom resolvers in two ways: DNS requests, and cache hits and misses. When a DNS query is first received by the custom resolver location it counts that query towards the DNS requests total. Subsequent queries made before the TTL is reached are counted towards the cache hits and misses total. For example if 100 queries are made in rapid succession for a given domain, the DNS requests count would be 1 and the cache hits count would be at 99.

If you want view the total request count you can do one of the following:

• Combine the DNS requests and cache hits
• Combine the cache hits and misses
• View the cache requests metric

Why is my custom resolver metrics showing a . instead of my requested zone name?

The custom resolver metric only shows the zone name for queries that are made for zones that have forwarding rules established. Queries for any other zones result in a zone name of .