How to Use the VPC-local DNS Resolver
Validated on 30 Sep 2025 • Last edited on 30 Sep 2025
A Virtual Private Cloud (VPC) is a private network interface for collections of DigitalOcean resources. VPC networks are inaccessible from the public internet and other VPC networks, and traffic on them doesn’t count against bandwidth usage. You can link VPC networks to each other using VPC peering connections.
DigitalOcean VPC networks provide an internal DNS resolver on the second-to-last IP address of the network. Configure your Droplets to use the internal resolver for better DNS performance and reliability on your DigitalOcean VPC network. This is especially important when using a NAT gateway, where multiple backend Droplets appear as one client to our DNS infrastructure and may be rate limited.
To update your Droplets to use the internal DNS resolver, find the IP address of your resolver, then update your Droplet’s DNS resolution configuration to use the new IP address.
Find a VPC Network’s Internal Resolver IP Address
A VPC network’s internal resolver IP address is always the second-to-last IP address of the network. To retrieve this IP address, use the DigitalOcean API or calculate it based on VPC network information shown in the control panel.
Use the Control Panel to Find a VPC Network’s Internal Resolver IP Address
Go to the VPC tab in the control panel and note the value shown in the IP Range column for your VPC network. It is an IPv4 address and network size is in CIDR format, like 10.116.0.0/20.
Next, open to the ARIN CIDR Calculator. In the Convert to IP Address Range section, enter the following:
-
Prefix: The prefix is the IP address before the
/slash. -
Prefix Length: The length is the number after the slash.
In the previous CIDR example, the prefix is 10.116.0.0 and the prefix length is 20.
Next, click Convert. You can view the end IP address in End IP Address. Your resolver IP address is the end IP address, minus 1 from the last octet. For example, if your end IP is 10.136.255.255, your resolver IP address is 10.136.255.254.
Use the resolver IP address in the next step to reconfigure your Droplet.
Use the DigitalOcean API to Find a VPC Network’s Internal Resolver IP Address
Send a GET request to the /v2/vpcs endpoint to list all of your team’s VPC networks. The following command pipes the API’s JSON response to jq which outputs only the VPC network name and resolver IP address:
curl -X GET \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
"https://api.digitalocean.com/v2/vpcs" \
| jq -r '.vpcs[] | "\(.name):\t\(.resolver_ip)"'Add a valid DigitalOcean API token to the environment variable $DIGITALOCEAN_TOKEN before running the command.
The output is a list of VPC names and resolver IP addresses:
default-nyc2: 10.100.15.254
default-sgp1: 10.104.15.254
default-sfo3: 10.124.15.254Find the resolver IP address for your VPC network and use it in the next step to reconfigure your Droplet.
Update Droplets to Use the VPC-local DNS Resolver
Update your Droplet’s networking configuration to use the VPC-local DNS resolver. This configuration procedure varies between different Linux distributions.
Ubuntu and Debian use Netplan to configure networking, and systemd-resolved to manage DNS resolution. You must update both systems to configure your Droplet to use its VPC-local DNS resolver.
First, update the DigitalOcean-specific systemd-resolved configuration file at /etc/systemd/resolved.conf.d/DigitalOcean.conf:
sudo nano /etc/systemd/resolved.conf.d/DigitalOcean.confReplace the two default IP addresses with your single VPC-local DNS resolver IP address:
[Resolve]
DNS=<your-resolver-ip>Replace <your-resolver-ip> with the actual resolver IP address you retrieved in the previous section.
Save and close the file, then restart systemd-resolved:
sudo systemctl restart systemd-resolvedNext, update the Netplan configuration file that cloud-init generated at first boot:
sudo nano /etc/netplan/50-cloud-init.yamlRemove all the lines highlighted below, from nameservers: to search: []. These lines define interface-specific name servers that are not necessary.
network:
version: 2
ethernets:
eth0:
match:
macaddress: "ce:68:83:13:e9:dd"
addresses:
- "159.203.129.109/20"
- "10.17.0.6/16"
nameservers:
addresses:
- 67.207.67.3
- 67.207.67.2
search: []
set-name: "eth0"
mtu: 1500
routes:
- to: "0.0.0.0/0"
via: "159.203.128.1"
eth1:
match:
macaddress: "ea:a8:49:d0:7c:09"
addresses:
- "10.132.1.108/16"
nameservers:
addresses:
- 67.207.67.3
- 67.207.67.2
search: []
set-name: "eth1"
mtu: 1500Save and close the file, then apply the changes:
sudo netplan applyUse resolvectl to display the status of DNS resolution on your system:
sudo resolvectl statusThe output shows that the VPC-local DNS server is set as the only available DNS server in the Global section:
Global
Protocols: +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
DNS Servers: 10.132.255.254
Link 2 (eth0)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Default Route: no
Link 3 (eth1)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Default Route: noRocky Linux and CentOS define DNS resolvers in the /etc/resolv.conf file. The following command uses echo to replace the contents of /etc/resolv.conf with a single nameserver <your-resolver-ip> configuration line:
echo "nameserver <your-resolver-ip>" > /etc/resolv.confReplace <your-resolver-ip> with the actual resolver IP address you retrieved in the previous section.
Fedora configures DNS resolvers in NetworkManager configuration files in the directory /etc/NetworkManager/system-connections/. On a DigitalOcean Droplet, this directory has one file for each interface: cloud-init-ens3.nmconnection and cloud-init-ens4.nmconnection.
Use nano or another text editor to update the dns= line in both files:
dns=<your-resolver-ip>Replace <your-resolver-ip> with the actual resolver IP address you retrieved in the previous section.
Restart NetworkManager to apply the changes:
sudo systemctl restart NetworkManagerYour system is now configured to use its VPC-local DNS resolver. Use the dig command to verify DNS resolution is functioning properly. Read How to Retrieve DNS Information Using Dig for more information.