In Private DNS, DNS containers can be configured to run in either authoritative or recursive resolver mode. By default, the DNS container is configured to run in authoritative mode and answer all queries for known zones. In recursive resolver mode, the DNS instance has the ability to use a built-in recursor to resolve zones for which it is not authoritative. Each zone created in the Private DNS instance will be appended to a list of known authoritative zones. While in recursive mode this list is referenced first before reaching out to the public internet.
The container also allows for the configuration of an external resolver instead of using the built-in recurser (e.g. Cloudflare = 126.96.36.199 or Google = 188.8.131.52 are well-known and trusted public resolvers).
A forwarding option is available in which requests to specific zones are forwarded to the IP address of another DNS. These requests will still result in a single response from the forwarding server.
Figure 1. Example DNS Container Resolving Configuration.
- Recursive Resolver Forwarding: List of zones and recursive server addresses. Any query for a name in the configured zone will be forwarded to the corresponding recursive server for full resolution. Use this option if you want queries for certain names to be answered by a different resolver.
- Authoritative Server Forwarding: List of zones and authoritative name server addresses. Any query for a name in the configured zone will be sent to the corresponding authoritative server but the full query resolution will happen locally. Use this option to configure resolution of domains which are not accessible from public internet.