Resolver Endpoints

Resolver endpoints are attached to a VCN or a subnet.

A DNS forwarding resolver endpoint is required before you can create a resolver rule. No listening endpoint is required for compute instances sending queries to 169.254.169.254. Two types of endpoint are used:

  • Listening: A listening endpoint receives queries from these sources: within the VCN, other VCN Resolvers, or your on-premises network's DNS. Once created, no further configuration is needed for a listening endpoint.
  • Forwarding: A forwarding endpoint forwards DNS queries to the Listening endpoint for resolvers in other peered VCNs or your on-premises network's DNS. Decisions about where to forward queries are based on resolver rules that you define.

Resolver endpoints are highly available and backed by availability domains and fault domains of virtual networking.

Note

IPv6 isn't supported for listening or forwarding endpoints.

An endpoint can only be configured to either forward or listen.

Note

Network security groups (NSGs) act as a virtual firewall for your DNS resolver endpoints. An NSG consists of a set of ingress and egress security rules that apply only to the associated DNS resolver endpoints.

We recommend that you change the security list or NSG security rules to allow traffic bound for UDP Port 53 (and optionally TCP Port 53) on your DNS listener endpoints.