How to Use the VPC-local DNS Resolver
Validated on 16 Mar 2026 • Last edited on 26 Mar 2026
A Virtual Private Cloud (VPC) is a private network interface for collections of DigitalOcean resources. VPC networks are inaccessible from the public internet and other VPC networks, and traffic on them doesn’t count against bandwidth usage. You can link VPC networks to each other using VPC peering connections.
DigitalOcean VPC networks provide an internal DNS resolver on the second-to-last IP address of the network. Configure your Droplets to use the internal resolver for better DNS performance and reliability on your DigitalOcean VPC network. This is especially important when using a NAT gateway, where multiple backend Droplets appear as one client to our DNS infrastructure and may be rate limited.
To update your Droplets to use the internal DNS resolver, find the IP address of your resolver, then update your Droplet’s DNS resolution configuration to use the new IP address.
Find a VPC Network’s Internal Resolver IP Address
A VPC network’s internal resolver IP address is always the second-to-last IP address of the network. To retrieve this IP address, use the DigitalOcean API or calculate it based on VPC network information shown in the control panel.
Use the Control Panel to Find a VPC Network’s Internal Resolver IP Address
Go to the VPC tab in the control panel and note the value shown in the IP Range column for your VPC network. It is an IPv4 address and network size is in CIDR format, like 10.116.0.0/20.
Next, open to the ARIN CIDR Calculator. In the Convert to IP Address Range section, enter the following:
-
Prefix: The prefix is the IP address before the
/slash. -
Prefix Length: The length is the number after the slash.
In the previous CIDR example, the prefix is 10.116.0.0 and the prefix length is 20.
Next, click Convert. You can view the end IP address in End IP Address. Your resolver IP address is the end IP address, minus 1 from the last octet. For example, if your end IP is 10.136.255.255, your resolver IP address is 10.136.255.254.
Use the resolver IP address in the next step to reconfigure your Droplet.
Use the DigitalOcean API to Find a VPC Network’s Internal Resolver IP Address
Send a GET request to the /v2/vpcs endpoint to list all of your team’s VPC networks. The following command pipes the API’s JSON response to jq which outputs only the VPC network name and resolver IP address:
curl -X GET \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
"https://api.digitalocean.com/v2/vpcs" \
| jq -r '.vpcs[] | "\(.name):\t\(.resolver_ip)"'Add a valid DigitalOcean API token to the environment variable $DIGITALOCEAN_TOKEN before running the command.
The output is a list of VPC names and resolver IP addresses:
default-nyc2: 10.100.15.254
default-sgp1: 10.104.15.254
default-sfo3: 10.124.15.254Find the resolver IP address for your VPC network and use it in the next step to reconfigure your Droplet.
Calculate the Resolver IP from a Droplet’s Private IP
If you are logged in to a Droplet on the VPC network, you can calculate the resolver IP directly from the Droplet’s private interface address:
PRIVATE_IP=$(ip -4 -o addr show eth1 | awk '{print $4}' | cut -d/ -f1)
VPC_RESOLVER_IP=$(python3 -c "
import ipaddress
net = ipaddress.ip_network('${PRIVATE_IP}/20', strict=False)
print(net.broadcast_address - 1)
")
echo "VPC resolver IP: $VPC_RESOLVER_IP"The output shows the resolver IP for your VPC network:
VPC resolver IP: 10.116.15.254Use the resolver IP address in the next step to reconfigure your Droplet.
Update Droplets to Use the VPC-local DNS Resolver
Update your Droplet’s networking configuration to use the VPC-local DNS resolver as the only resolver. After completing these steps, all DNS queries from the Droplet route exclusively through the VPC-local resolver. This configuration procedure varies between different Linux distributions.
Ubuntu and Debian use Netplan to configure networking, and systemd-resolved to manage DNS resolution. You must update both systems to configure your Droplet to use its VPC-local DNS resolver.
First, update the DigitalOcean-specific systemd-resolved configuration file at /etc/systemd/resolved.conf.d/DigitalOcean.conf:
sudo nano /etc/systemd/resolved.conf.d/DigitalOcean.confReplace the two default IP addresses with your single VPC-local DNS resolver IP address:
[Resolve]
DNS=<your-resolver-ip>Replace <your-resolver-ip> with the actual resolver IP address you retrieved in the previous section.
Save and close the file, then restart systemd-resolved:
sudo systemctl restart systemd-resolvedNext, update the Netplan configuration file that cloud-init generated at first boot:
sudo nano /etc/netplan/50-cloud-init.yamlRemove the nameservers block from eth0 entirely. On eth1, replace the public resolver addresses (67.207.67.2 and 67.207.67.3) with your VPC-local resolver IP address:
network:
version: 2
ethernets:
eth0:
match:
macaddress: "ce:68:83:13:e9:dd"
addresses:
- "159.203.129.109/20"
- "10.17.0.6/16"
set-name: "eth0"
mtu: 1500
routes:
- to: "0.0.0.0/0"
via: "159.203.128.1"
eth1:
match:
macaddress: "ea:a8:49:d0:7c:09"
addresses:
- "10.132.1.108/16"
nameservers:
addresses:
- <your-resolver-ip>
set-name: "eth1"
mtu: 1500Replace <your-resolver-ip> with the actual resolver IP address you retrieved in the previous section.
Save and close the file, then apply the changes:
sudo netplan applyUse resolvectl to verify that all DNS traffic now routes through the VPC-local resolver:
resolvectl statusIn the output, confirm that the VPC-local resolver IP appears as the only DNS server with +DefaultRoute on the eth1 link:
Link 3 (eth1)
Protocols: +DefaultRoute ...
Current DNS Server: <your-resolver-ip>
DNS Servers: <your-resolver-ip>Persist Changes Across Cloud-init Events
Netplan configuration survives reboots by default. However, on Droplets provisioned with cloud-init, the file /etc/netplan/50-cloud-init.yaml may be regenerated during certain events, such as a rebuild. To prevent cloud-init from overwriting your DNS settings, disable cloud-init network configuration:
sudo bash -c 'cat > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg <<EOF
network: {config: disabled}
EOF'After creating this file, cloud-init no longer manages the Netplan configuration and your resolver settings persist through rebuilds.
Rocky Linux and CentOS define DNS resolvers in the /etc/resolv.conf file. The following command uses echo to replace the contents of /etc/resolv.conf with a single nameserver <your-resolver-ip> configuration line:
echo "nameserver <your-resolver-ip>" > /etc/resolv.confReplace <your-resolver-ip> with the actual resolver IP address you retrieved in the previous section.
Fedora configures DNS resolvers in NetworkManager configuration files in the directory /etc/NetworkManager/system-connections/. On a DigitalOcean Droplet, this directory has one file for each interface: cloud-init-ens3.nmconnection and cloud-init-ens4.nmconnection.
Use nano or another text editor to update the dns= line in both files:
dns=<your-resolver-ip>Replace <your-resolver-ip> with the actual resolver IP address you retrieved in the previous section.
Restart NetworkManager to apply the changes:
sudo systemctl restart NetworkManagerYour system is now configured to use its VPC-local DNS resolver. Use the dig command to verify DNS resolution is functioning properly. For usage examples, read How to Retrieve DNS Information Using Dig.