Network Automation through DNS using Response Policy Zones

Squarespace maintains hybrid cloud infrastructure, where some of its services are hosted in Google Cloud Platform (GCP). On-premises applications communicate with GCP through Application Interface (API) using *. googleapis.com domain. Private interconnects provide reliable communication between on-premises infrastructure and the cloud services. However, not all traffic needs to go through the interconnects.

Domain Name System (DNS) plays critical role in separating production from internal user traffic without modifying the code that interacts with the cloud services.

Domain Name System

Domain Name System (DNS) is one of the fundamental components of the Internet. One of its primary functions is to map easy to remember domain names to IP addresses so that user applications could reach their destination and communicate with the servers. Bind (Berkeley Internet Name Domain) is the most widely used open source DNS application. It was originally built in University of California, Berkeley and is currently developed by ISC (Internet Systems Consortium).

There are two types of DNS servers: authoritative and recursive. Authoritative DNS servers maintain a “master copy” of DNS zones they are responsible for, hence the name authoritative. Recursive DNS servers are the “middlemen” whose job is to find information about requested domains. They perform series of queries up the DNS tree until could locate a server that could provide an answer to user’s query. Such answer could come from another recursor’s cache or an authoritative server. This process is called DNS recursion. Technology companies often maintain their own private authoritative DNS servers that contain information about internal infrastructure.

<diagram of recursion>

Response Policy Zone

Response Policy Zone (RPZ) is a mechanism in Bind that allows recursive DNS servers to rewrite responses returned by authoritative DNS servers. It is configured similarly to a regular zone with Start of Authority (SOA) record. However, instead of the hostnames, record types and values, there are RPZ triggers and actions that define recursor’s behavior. While the most common use case for the RPZ is DNS firewall, there are other ways to benefit from filtered responses. This article will focus on network automation of dynamic traffic routing using DNS.