Reference architecture for hybrid DNS high availability in OCI

August 24, 2023 | 4 minute read
Praveen Manimozhi
Principal Cloud Architect, Networking & Security
Text Size 100%:

The domain name system (DNS) architecture that we deploy in Oracle Cloud Infrastructure (OCI) is a hybrid DNS workload that follows a hub-and-spoke topology like that of a virtual cloud network (VCN). This setup gives operational effectiveness and makes the management of DNS in OCI easier. For a more in-depth understanding of private DNS in OCI, see the A-Team blog post, OCI Private DNS - Common Scenarios, which covers the details of the architecture and scenarios.

This post focuses on the high availability and resilience of the private DNS that we can bring with the help of dynamic host configuration protocol (DHCP) options in a VCN.

Current DNS state architecture

In the hybrid architecture, the spoke VCNs resolve queries within OCI in the same region locally, and the rest of the queries for the other region domains and the custom domain are forwarded to the listener in the hub. The forwarding rule in the hub forwards the queries to the name servers, and the name resolves.

A graphic depicting old DNS architecture

Problem statement

In this architecture, with the default DHCP option and forwarding rules in VCN resolver, if the custom DNS server has an unexpected reboot or OCI loses connectivity, the DNS has an outage. A single point of failure exists for forwarded zones, such as custom domains and other region domains, for the following reasons:

  • The forwarding rules can have only a single DNS server IP.

  • An OCI DNS as resolver forwards the queries to the first rule that matches.

  • Without a custom DHCP option, the operating system gets only one IP,, as a DNS server.

  • With any failure in the subsequent forwarding, the OS doesn’t know an alternative server that it can use.

Proposed architecture

In the proposed architecture, we’re modifying the DHCP options in the VCN and the hybrid DNS configuration. With this modification, the OS is aware of the alternative DNS server it can reach when the primary server has a problem. So, the name resolution continues to work, and you can avoid the complete DNS outage.

A graphic depicting the update DNS architecture.

  1. Configure custom DHCP options for the VCN with OCI DNS IP address,, as the primary server, and the customer's DNS server as the second DNS server.

  2. In this solution, the Phoenix DNS server is used as the secondary DNS in the Ashburn VCN and Ashburn DNS server as secondary DNS for the Phoenix VCN.

  3. The VCN resolver still manages the name resolution within OCI regions, and only the custom domain or other region domains are forwarded to their respective servers.

  4. If the custom DNS server fails or OCI loses the connectivity to the primary server, the secondary server in the list resolves the custom and other regional DNS zones.

  5. The customer DNS servers are deployed in OCI to decrease the latency and dependency to the on-premises connectivity. This part isn’t mandatory unless the situation demands it.

  6. The custom DNS server needs a conditional forwarding rule to to the DNS listener IP in the regional hub VCN. In this scenario, the custom DNS server has the forwarding rule to and This step is handy when the client forwards the request to any available DNS server in the list bypassing the order.


We have the following recommendations for your setup and deployment of this architecture:

  1. If the applications are latency-sensitive and send frequent queries to the internet or custom zones, you can replace the wildcard or match all resolvers in the spoke VCNs to more specific rules, such as the hub.

  2. If you have private endpoint resources in the subnet, use the IP address,, for the name resolution default.

  3. Ensure that the client DNS caching is enabled and working.

  4. If the current deployment is configured with the default DHCP option and you want to achieve high availability for the forwarded domains, we can have the request forwarded to the load balanced VIP IPs of the DNS servers.


This post presented a highly available and fault-tolerant solution for the private DNS in OCI by utilizing the DHCP option in VCN and the hybrid DNS deployment. To better understand private DNS, DHCP options, and the private DNS implementation in Oracle Cloud Infrastructure, see the following resources:

Praveen Manimozhi

Principal Cloud Architect, Networking & Security

Previous Post

Behind the scenes (Under the bench): The tricky thing about SMT

Balbir Singh | 11 min read

Next Post

VMware Tanzu deployment option with Oracle Cloud VMware Solution

Ravindra Kumar Kumar | 5 min read