Hybrid DNS between AWS and on-prem with AWS Route 53 Resolver

• Author
• Recent Posts

Mohamed Wali

Mohamed is a cloud infrastructure expert with experience in engineering and implementation in AWS and Azure. He currently works as a Cloud Infrastructure Architect at Amazon Web Services.

Latest posts by Mohamed Wali (see all)

• Amazon EC2 on-demand Capacity Reservations: A step-by-step guide - Thu, Oct 7 2021
• Delete the Amazon Machine Image (AMI) and its associated snapshots - Tue, Oct 5 2021
• AWS Cost Anomaly Detection: A step-by-step guide - Thu, Sep 9 2021

Resolver endpoints come in two flavors:

• Inbound endpoints: This would enable your resources in the on-prem network to resolve AWS resource domain names or records in a Route 53 private hosted zone by allowing your on-prem network DNS resolvers to forward queries to Route 53 Resolver.
• Outbound endpoints: This would enable your AWS resources to resolve the domain names of your on-prem network resources using resolver rules, which would forward selected queries to the on-prem network DNS resolvers.

Before we get started, make sure you have the following prerequisites in place:

• Ensure that there's network connectivity between your on-prem network and AWS via a VPN connection or Direct Connect.
• Enable DNS host names and resolutions in the DNS support attributes in the VPC in which you would create the endpoint.
• There's at least a private hosted zone with the records you would like to resolve created there and attached to the VPCs with the resources that the records point to.
• For the inbound endpoint, you would need a security group with inbound rules that allow incoming traffic from the on-prem network IP addresses via the following port:
  • TCP/UDP 53
• For the outbound endpoint, you would need a security group with outbound rules that allow outgoing TCP/UDP traffic to the on-prem network IP addresses via the ports used by the on-prem network DNS servers. By default this is 53, but if other ports are used, configure them accordingly.

Note: Unlike Route 53 hosted zones, Route 53 Resolver endpoints are regional resources, not global.

Resolve domain names in AWS from your on-prem network ^

To be able to resolve AWS resource domain names from your on-prem network, do the following:

Create a Resolver inbound endpoint

Navigate to the Route 53 console and click Inbound endpoints.

Click Create inbound endpoint.

Creating an inbound endpoint

Then enter a name for the endpoint and select a VPC through which all the inbound DNS queries will flow on the way to the Resolver. Then set the security group, which is mentioned in the prerequisites.

Note: The VPC in which you would create the endpoint should be attached to the private hosted zone.

Specifying general settings for the inbound endpoint

Afterward, specify the IP addresses of the endpoint. To improve reliability, Resolver requires that you specify two IP addresses for DNS queries. It is recommended to span them across different availability zones.

Note: You can add more than two IPs if you wish.

Specifying the second IP address settings

Finally, you can set the tags and click Submit to start the endpoint creation.

Submitting the endpoint configurations to be created

Create a conditional forwarder

Now, you need to allow your on-prem network DNS server to conditionally forward DNS queries for the private hosted zone and private AWS resources to the IP addresses of the inbound endpoint created earlier.

Navigate to your on-prem network DNS server and create a conditional forwarder.

Creating a new conditional forwarder

In the DNS Domain field, enter the domain name of the private hosted zone and the IP addresses of the endpoints created earlier. Then select the Store this conditional forwarder in Active Directory option to get the conditional forwarder replicated with other DNS servers in the forest.

Specifying the conditional forwarder configuration

If you would like to resolve private Amazon resources, domain names such as EC2 instances, EFS, etc., which are not publicly exposed, you can create another conditional forwarder. In this case, the DNS domain you specify should be amazonaws.com.

Once the endpoint and the conditional forwarder are created, you can start resolving domain names from your on-prem network against the records in the private hosted zone.

Resolve domain names in your on-prem network from AWS ^

To be able to resolve your on-prem network resource domain names from AWS, do the following:

Create an outbound endpoint

Navigate to the Route 53 console and click Outbound endpoints.

Click Create outbound endpoint.

Creating an outbound endpoint

Follow the same steps you followed in creating an inbound endpoint, but for the security group, select the security group you created earlier for the outbound endpoint.

Create a Resolver rule

Navigate to the Route 53 Console and click Rules.

Click Create rule.

Creating a Resolver rule

Then enter a friendly name for the Resolver rule. Select the Forward rule type, specify the domain name of the on-prem network and the VPCs to which this rule will be associated, the outbound endpoint you created earlier, and the Target IP addresses, which are the IP addresses of the on-prem network DNS servers.

Configuring the Resolver rule

Configuring target IP addresses

Once the configurations are submitted and the rule is created, you can test resolving domain names from the AWS VPCs you specified in the rule configuration against the on-prem network.

Conclusion ^

In this article, we've gone through how to create a hybrid DNS between AWS and on-prem using AWS Resolver endpoints. If you've got any further questions, please mention them in the comments.