Setting up external DNS for single frond end Eucalyptus deployment

Leave a comment

August 8, 2013 by kimizhang

In single frond end setup, Eucalyptus requires a somewhat tricky DNS configuration in order to:

  • have resolvable domain names for internal IP addresses of VMs
  • have resolvable domain names for external IP addresses of VMs
  • have reverse resolvable IP address for internal domain names of VMs
  • have reverse resolvable IP address for external domain names of VMs
  • VMs receive their unique hostnames instead of “localhost” (which is actually done by using a reverse DNS for the internal IP address)

Eucalyptus has a built-in DNS server for its managed IP addresses (both public and private) on the cloud controller (CLC).

The Eucalyptus CLC is visible from more than one IP address at the same time:

  • Its public IP address, where the services/Eucalyptus web service is normally available.
  • For every security group there is an IP subnet for VMs. The first (TBD: check) IP address in every subnet is the CC(CLC) machine.

The problematic points:

  • Eucalyptus CLC replies from its subnet-specific private IP address if queried from a VM, even if originally the query is directed towards the CLC’s public IP. The standard resolve libraries treat this reply as a DNS spoofing attempt (request destination IP !!= reply source IP) and drop it.
  • It is not possible to set the internal address of Eucalyptus CLC statically, since it depends on the subnet which in turn depends on which security group the VM was launched in.


The solution is an external DNS server that relays forward and reverse DNS queries for both public and private domain names and IP addresses to the Eucalyptus DNS server for the VMs to work correctly.


Example configuration settings using dnsmasq:


  • In this example is the Eucalyptus CC’s public address
  • is the dnsmasq server that is external to Eucalyptus.
  • is the public network range of Eucalyptus VMs
  • is the private network range of Eucalyptus VMs
  • compute.local is the public DNS suffix
  • eucalyptus.internal is the private DNS suffix
  • is external/internal DNS to resolve internal domain names

##Configuration in /etc/dnsmasq.conf## #cat /etc/dnsmasq.conf server=/compute.local/ server=/eucalyptus.internal/ server=/ server=/ resolv-file=/etc/dnsmasq-resolv.conf

##Congfigure default forwader to external/internet DNS### #cat /etc/dnsmasq-resolv.conf nameserver


In Eucalyptus CC, /etc/eucalyptus/eucalyptus.conf, set the DNS for the VMs to the dnsmasq server:



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: