How to resolve DNS records in your private network with Soracom?

TAKETO-SORACOM · February 20, 2023, 12:01am

Introduction

Hi I’m taketo from Soracom.

Soracom provides cellular connectivity services for IoT with powerful APIs and the web console known as Soracom User Console to manage your connectivity. Please find out our products and featured videos here at Digi-Key.

In this topic, I will introduce an architecture and configurations for your cellular devices to resolve your private DNS records associated with your VPC on your AWS.

Custom DNS in Private Network

By configuring Custom DNS, your cellular devices can resolve hostnames in your private network.

Depending on your architecture please follow one of the listed patterns below:

Scenario1: Custom DNS with AWS Inbound Resolver.
Scenario2: Custom DNS with Gate Peer.

By default, your Soracom cellular device can resolve FQDN via the Internet. But if your DNS is hosted in your private network, DNS queries from your cellular devices should be kept in the private network. Soracom provides “Custom DNS” feature to support this scenario. “Custom DNS” is a feature that enables your cellular devices to specify the arbitrary IPv4 addresses of your public or private DNS servers.

With an Amazon Route 53 Inbound Resolver that is hosted in your Amazon VPC you can resolve private hostnames from networks connected to your VPC such as your VPG. IP packets from Soracom cellular devices will be transferred to your private network by NAT gateways in your VPG. The DNS queries will be sent from your VPG, which is paired to your private network. In this case, you can follow ‘Pattern 1: Custom DNS with AWS Inbound Resolver’.

If you use Junction Redirection for scenarios such as Tunneling and Overlay With Soracom Gate C2D (Cloud-to-Device), please follow Scenario2: Custom DNS with Gate Peer’. IP packets from your cellular network will be delivered to your private network without NAT gateways. So your DNS queries will be executed from your device subnet, which is not paired with your private network. So you must configure your Gate Peer as NAT server and DNS forwarder.

With these requirements completed, continue to configure your Gate Peer.

An example of Architectures

The diagram below shows an example of architectures that you will build in the following steps. All the IP addresses are examples and may be different in your environment.

Requirements

In order to establish a custom DNS in your private network”, you must have a private DNS resolver in your network.

Before continuing with Gate Peer configuration, ensure that you have completed the following:

Connect cellular devices to your private network with one of the following architectures:
- Pattern 1&2: AWS VPC Peering Connection using Soracom Canal
- Pattern 2: Tunneling and Overlay With Soracom Gate C2D (Cloud-to-Device) and Junction Redirection
Create a Route 53 Private Hosted Zone.

With these requirements completed, continue to configure your Gate Peer.

This document will use an AWS EC2 instance as the Gate Peer and refer to AWS-specific configuration instructions. However, in general the same steps can be applied when configuring a Gate Peer within a non-AWS environment.

Scenario1: Custom DNS with Amazon Route 53 Inbound Resolver

Create an Amazon Route 53 Inbound Resolver to your private network.
Configure Custom DNS
- Set the IP addresses of your Route 53 Inbound Resolver 172.16.0.179 and 172.16.31.23 as custom DNS IP addresses. Refer to Soracom Air for Cellular: Custom DNS document for the detail.
Delete sessions of your cellular devices to apply your custom DNS IP addresses.
- Please follow the document to delete sessions for the detail.
SSH to your cellular device and confirm if your cellular devices can resolve hostname in your private network:
- The following example shows a cellular device resolving a hostname via your Gate Peer.

pi@raspberrypi:~ $ nslookup hello.app.test
Server: 172.16.0.179 <- Your Route 53 Inbound Resolver IP address
Address: 172.16.0.179#53

Non-authoritative answer:
Name: hello.app.test
Address: 172.16.37.24 <- Inbound Resolver response IP address of hello.app.test

Scenario2: Custom DNS with Gate Peer

Configure your Gate Peer

SSH to your Gate Peer.
Confirm default DNS resolver:

[ec2-user@ip-172-16-1-58 ~]$ cat /etc/resolv.conf
; generated by /usr/sbin/dhclient-script
search ap-northeast-1.compute.internal
options timeout:2 attempts:5
nameserver 172.16.0.2

Run the following commands:

sudo yum install bind bind-utils

4.Backup an existing configuration file:

sudo cp /etc/named.conf /etc/named.conf_bak

5.Edit /etc/bind/named.conf.options:

options {
 directory "/var/named";
 recursion yes;
 allow-query {
     172.16.0.0/16; # Allow query from your private network and Soracom network
     10.0.0.0/16;
     localhost;
 };
 forwarders { 172.16.0.2; }; # Default resolver forward only;
 auth-nxdomain no; # conform to RFC1035
 listen-on { any; };
 allow-recursion {
     172.16.0.0/16; # Allow query from your private network and Soracom network
     10.0.0.0/16;
     localhost;
 };
};

Start bind9 to enable DNS forwarder:

sudo systemctl enable named
sudo systemctl restart named

7.Enable NAT:

sudo iptables -t nat -A POSTROUTING -j MASQUERADE -p udp --dport 53

This command uses the following options:
- sudo iptables -t nat -A POSTROUTING -j MASQUERADE -p udp --dport 53 - Apply NAT for DNS queries. DNS query will be conducted with UDP and port 53.

Confirm NAT records and priorities:

[ec2-user@ip-172-16-1-58 ~]$ sudo iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 154 packets, 14102 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      147 12501 MASQUERADE  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
2     1226 95476 MASQUERADE  all  --  *      *       0.0.0.0/0           !172.16.0.0/16

Please make sure the record ending udp dpt:53 to apply NAT to DNS queries is in the priority. The lower num, the higher priority the record will be applied with.
2 1226 95476 MASQUERADE all -- * * 0.0.0.0/0 !172.16.0.0/16 - This record is an example not to apply NAT for traffic from your cellular devices so that your servers can see sender ip addresses. You may have similar records when you configure Gate Peer servers for Cloud to Device architecture. Make sure this is a lower priority than the first record.

9.Configure Custom DNS

Set the private ip address of your Gate Peer as a custom DNS ip address. Refer to Soracom Air for Cellular: Custom DNS document for the detail.

SSH to your cellular device and confirm if your cellular devices can resolve hostname in your private network:

The following example shows a cellular device resolving a hostname via your Gate Peer.

pi@raspberrypi:~ $ nslookup hello.app.test
Server:		10.0.1.150
Address:	10.0.1.150#53

Non-authoritative answer:
Name:	hello.app.test
Address: 172.16.37.24

Topic		Replies	Views
Building remote access to your cellular devices with Soracom? Wireless and IoT design-tools-and-resources , wireless-and-iot , soracom	0	952	February 19, 2023
5 FAQs on Remote Connectivity to Cellular Routers Q&A	0	86	September 19, 2024
SORACOM Beam SigV4 Data Linkage and Geofencing to Amazon Location Service Wireless and IoT wireless-and-iot , soracom	1	638	March 26, 2023
Register Azure IoT Edge Device with Soracom Krypton Wireless and IoT	0	462	June 9, 2023
Predict Power Demand from M5 Stack using Soracom Beam and Amazon SageMaker Wireless and IoT	0	366	June 8, 2023