Private DNS Zones

Overview

Private DNS Zones let you create custom internal domains (like .prod, .staging, .db) that are resolvable only by instances within your VPC networks. This enables service discovery, environment separation, and automatic failover without relying on IP addresses.

Key features:

Internal-only resolution -- DNS zones are private to your VPCs and not accessible from the public internet.
Multiple record types -- A, AAAA, CNAME, TXT, and SRV records.
Routing policies -- Simple, Weighted, Multivalue Answer, and Failover routing.
Health checks -- HTTP, HTTPS, TCP, and ICMP checks automatically exclude unhealthy records.
Multi-VPC support -- Attach a single zone to multiple VPCs simultaneously.
No extra cost -- Private DNS is included with VPC networking.

tip

Private DNS works alongside your VPC's regular internet DNS. Public queries (e.g., google.com) are automatically forwarded to public resolvers.

Getting Started

Prerequisites

At least one active VPC network is required.
DNS zones count toward your account's maximum limit (default: 5, configurable by your administrator).

Creating a DNS Zone

Navigate to Networking → Private DNS in the sidebar.
Click Create DNS Zone.
Select a Location (data center) to filter available VPCs.
Fill in the zone details:
- Zone Name -- The internal domain name (e.g., prod, staging, db). Must be lowercase alphanumeric with dots and hyphens allowed.
- Description -- Optional description for organizational purposes.
- VPCs -- Select one or more VPCs to attach this zone to (required).
Click Create Private DNS Zone.

The zone becomes active immediately. Instances in the attached VPCs can resolve records within seconds.

Reserved Names

Zone names that match public TLDs (com, net, org, io, etc.) are not allowed as standalone names, since they would shadow real DNS resolution. Use compound names instead -- for example, app.internal rather than com.

Managing Zones

Zone Detail Page

The zone detail page has two tabs:

Records (default) -- All DNS record sets and their individual records.
Attached VPCs -- The VPC networks where this zone is available.

Attaching / Detaching VPCs

Click Attach VPC in the VPCs tab and select a VPC from the dropdown.
Click Detach next to any attached VPC to remove it.

note

Detaching a VPC does not immediately affect running instances -- their existing DNS configuration remains until they are rebooted or their network is reconfigured.

Editing a Zone

You can update the zone description at any time. Zone names cannot be changed after creation -- create a new zone if you need a different name.

Deleting a Zone

Deleting a zone removes all record sets, records, and health checks within it. The zone is removed from all attached VPCs. Deletion is processed as a background job.

DNS Records

Adding a Record

On the zone detail page, click Add Record.
Fill in the Record Set fields (if creating a new record set):
- Hostname -- The subdomain name (e.g., web, api, db-master). This is appended to the zone name to form the full hostname (e.g., web.prod).
- Type -- The DNS record type (see Record Types below).
- Routing Policy -- How traffic is distributed (see Routing Policies below).
- TTL -- Time-to-live in seconds (default: 300).
Fill in the Record Value:
- For A records: a valid IPv4 address (e.g., 10.0.1.10).
- For AAAA records: a valid IPv6 address.
- For CNAME records: a hostname (e.g., web1.prod).
- For TXT records: a text string.
- For SRV records: priority weight port target (e.g., 10 60 8080 web1.prod).
If using Weighted routing: set a weight (1--255).
If using Failover routing: select the role (Primary or Secondary).
Optionally configure a Health Check.
Click Add Record.

If a record set with the same name and type already exists, the record is added to it. Otherwise, a new record set is created automatically.

Editing a Record

Click the edit icon next to any record to change its value, weight, or failover role.

Enabling / Disabling Records

Use the toggle switch to temporarily disable a record without deleting it. Disabled records are excluded from DNS responses but keep their configuration.

Adding to an Existing Record Set

Within an expanded record set, click Add to this set to add another record with the same name and type.

Record Types

Type	Description	Value Format	Example
A	IPv4 address	Valid IPv4	`10.0.1.10`
AAAA	IPv6 address	Valid IPv6	`fd00::1`
CNAME	Canonical name (alias)	Hostname	`web1.prod`
TXT	Text record	Free text	`"v=spf1 ..."`
SRV	Service locator	`priority weight port target`	`10 60 8080 web.prod`

Record Type Restrictions

CNAME exclusivity -- A CNAME record cannot coexist with other record types for the same hostname. Remove existing records first if you need to add a CNAME.
CNAME routing -- CNAME records support simple and failover routing only. Weighted and multivalue routing are not available for CNAME records.

Routing Policies

Simple

Returns a single record. Use this when you have one resource serving a hostname.

Max records: 1

Weighted

Distributes queries across multiple records based on assigned weights (1--255). A record with weight 70 receives roughly 70% of queries compared to a record with weight 30.

Use cases:

Gradual traffic shifting (blue/green deployments)
Load distribution across servers with different capacities
A/B testing

Max records: 10 Supported types: A, AAAA only (CNAME and other types cannot use weighted routing)

Multivalue Answer

Returns all healthy records in the response. The client application chooses which to use. Unhealthy records are automatically removed.

Max records: 10 Supported types: A, AAAA, TXT, SRV (CNAME cannot use multivalue routing)

Failover

Designate one record as Primary and another as Secondary. Queries return the primary record as long as it passes health checks. If the primary becomes unhealthy, traffic fails over to the secondary automatically.

Max records: 2 (exactly one primary + one secondary)

Fail-Open Behavior

If all records in a record set become unhealthy, the system returns all records rather than returning nothing. This ensures some resolution is always possible, even when health checks are failing.

Health Checks

Health checks monitor the availability of your DNS record targets. When a record fails its health check, it is automatically excluded from DNS responses.

Configuring a Health Check

When adding or editing a record, enable the Health Check section and configure:

Parameter	Description	Default
Type	Protocol: `HTTP`, `HTTPS`, `TCP`, or `ICMP`	--
Port	Target port (HTTP/HTTPS/TCP)	80 or 443
Path	URL path to check (HTTP/HTTPS only)	`/`
Expected Status	HTTP status code considered healthy (HTTP/HTTPS only)	`200`
Interval	Seconds between checks	`30`
Timeout	Seconds to wait for a response	`5`
Unhealthy Threshold	Consecutive failures before marking unhealthy	`3`
Healthy Threshold	Consecutive successes before marking healthy	`2`

Health Status Indicators

Indicator	Meaning
🟢 Green	Healthy -- record is included in DNS responses
🔴 Red	Unhealthy -- record is excluded from DNS responses
🟡 Yellow	Pending -- health check has not run yet
⚪ Grey	No health check configured

Managing Health Checks

You can add, edit, or remove health checks on any record at any time from the record set's expanded view. Click the health status indicator or use the health check button.

Record Limits

Resource	Limit
DNS zones per account	5 (default, configurable by admin)
Record sets per zone	100
Records per set (Simple)	1
Records per set (Failover)	2
Records per set (Weighted / Multivalue)	10

How It Works

When an instance in an attached VPC makes a DNS query:

Private zone queries (e.g., web.prod) are resolved using the zone's records, respecting the configured routing policy and health check status.
Public DNS queries (e.g., google.com) are automatically forwarded to public DNS resolvers.

Automatic DNS Configuration

Instances in attached VPCs automatically receive the VPC subnet gateway as their primary DNS server. No manual configuration is needed -- new instances will resolve private DNS zones out of the box. Public DNS (e.g., 1.1.1.1, 8.8.8.8) is configured as fallback for internet domains. Search domains are also set automatically, so short names work -- for example, if your zone is named prod, you can query just web instead of web.prod.

Propagation

Record changes (add, update, delete) propagate to all hypervisors within seconds.
New zone attachments take effect within 60 seconds (the sync interval).
Cached records on instances expire according to the TTL you configure (default: 300 seconds / 5 minutes).

Examples

Weighted Web Service

Distribute traffic across two web servers with a 70/30 split:

Create a zone named prod attached to your VPC.
Add a record:
- Hostname: web
- Type: A
- Routing Policy: Weighted
- Value: 10.0.1.10, Weight: 70
Add another record to the same set:
- Click Add to this set on the web record set
- Value: 10.0.1.11, Weight: 30
Enable HTTP health checks on both records (port 80, path /health).

Instances can now reach your web servers at web.prod. If either server fails its health check, all traffic goes to the healthy one.

Database Failover

Automatic failover between primary and replica databases:

Create a zone named db attached to your VPC.
Add a record:
- Hostname: mysql
- Type: A
- Routing Policy: Failover
- Value: 10.0.2.10, Role: Primary
- Health check: TCP, port 3306
Add another record to the same set:
- Click Add to this set
- Value: 10.0.2.11, Role: Secondary
- Health check: TCP, port 3306

Applications connect to mysql.db. If the primary is unreachable on port 3306, DNS automatically returns the replica's IP.

Service Discovery with SRV

Locate services by protocol and port:

Create a zone named svc.
Add a record:
- Hostname: _http._tcp.api
- Type: SRV
- Routing Policy: Simple
- Value: 10 50 8080 api1.svc

Applications can discover the API service endpoint, port, and priority via standard SRV lookups.

Troubleshooting

Records not resolving

Verify the zone status is Active.
Confirm the VPC is attached to the zone.
Check that the record is enabled (toggle is on).
If using health checks, verify the target service is reachable.
New instances may need a moment to pick up DNS configuration after boot.

Health check showing unhealthy

Ensure the target service is running and accessible within the VPC.
Verify the port and path are correct.
For HTTP/HTTPS checks, confirm the expected status code matches what the service actually returns.
Check that Security Group rules allow the health check traffic on the configured port.

Changes not taking effect

DNS changes propagate within seconds, but cached records may take up to the TTL duration to expire.
Flush the DNS cache on the instance: sudo systemd-resolve --flush-caches (Linux).
Or restart the instance to pick up fresh DNS configuration.

The Private DNS link only appears when VPC networking is enabled on at least one hypervisor group. Contact your administrator if you don't see it.

Validation errors when creating records

A records must contain a valid IPv4 address (e.g., 10.0.1.5).
AAAA records must contain a valid IPv6 address.
CNAME records must contain a valid hostname and cannot use weighted or multivalue routing.
SRV records must follow the format priority weight port target (e.g., 10 60 8080 web.prod).
Zone names cannot be public TLDs (com, net, org, etc.) -- use compound names like app.internal.

Overview​

Getting Started​

Prerequisites​

Creating a DNS Zone​

Managing Zones​

Zone Detail Page​

Attaching / Detaching VPCs​

Editing a Zone​

Deleting a Zone​

DNS Records​

Adding a Record​

Editing a Record​

Enabling / Disabling Records​

Adding to an Existing Record Set​

Record Types​

Record Type Restrictions​

Routing Policies​

Simple​

Weighted​

Multivalue Answer​

Failover​

Health Checks​

Configuring a Health Check​

Health Status Indicators​

Managing Health Checks​

Record Limits​

How It Works​

Propagation​

Examples​

Weighted Web Service​

Database Failover​

Service Discovery with SRV​

Troubleshooting​

Records not resolving​

Health check showing unhealthy​

Changes not taking effect​

Zone not appearing in sidebar​

Validation errors when creating records​