How can I avoid DNS resolution failures with an Amazon EC2 Linux instance?

Short description

To decrease CPU and network usage and avoid DNS resolution failures, apply a DNS cache.

If you use a DNS cache to query external DNS resources, then the cache answers most of the recurring DNS queries locally. When the cache does this, it doesn't interact with the DNS resolver over the network. You can query external DNS resources such as the following examples:

• Amazon Relational Database Service (Amazon RDS)
• Amazon ElastiCache
• Amazon Simple Storage Service (Amazon S3)

The following procedure applies to all versions of Amazon Linux. If you use another distribution, then select the documentation for your distribution from the following list:

• For Debian, see Local caching on the debian.org website.
• For Ubuntu, see Local DNS cache on the Ubuntu website.
• For RHEL, see How to configure DNS caching server with dnsmasq in RHEL on the Red Hat customer portal.

Resolution

Set up a local DNS cache with dnsmasq

To set up a local DNS cache, use dnsmasq (a DHCP and cache DNS server). For an overview of dnsmasq, see the dnsmasq documentation.

1.    Install the dnsmasq server:

sudo yum install -y dnsmasq

2.    Create a dedicated system user to run dnsmasq:

sudo groupadd -r dnsmasqsudo useradd -r -g dnsmasq dnsmasq

Note: dnsmasq typically runs as the root user, but it changes to another user after startup (by default, the user is nobody). This drops root privileges.

3.    Create a copy of the dnsmasq.conf file:

sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig

4.    Open the configuration file with a text editor (for example, vim):

sudo vim /etc/dnsmasq.conf

5.    Edit the /etc/dnsmasq.conf file so that it's similar to the following example:

# Server Configurationlisten-address=127.0.0.1
port=53
bind-interfaces
user=dnsmasq
group=dnsmasq
pid-file=/var/run/dnsmasq.pid

# Name resolution options
resolv-file=/etc/resolv.dnsmasq
cache-size=500
neg-ttl=60
domain-needed
bogus-priv

Note: The bogus-priv option in dnsmasq causes a reverse DNS lookup to fail for private IP ranges that aren't in /etc/hosts or the DHCP leases file. If you want to perform a successful reverse lookup, then comment out or remove bogus-priv. For more information, see -b, --bogus-priv on the dnsmasq man page.

6.    Create the /etc/resolv.dnsmasq file, and then set the Amazon DNS server or the custom domain-name-servers that you specified on DHCP options sets:

sudo bash -c "echo 'nameserver 169.254.169.253' > /etc/resolv.dnsmasq"

Note: For more information about DNS server locations, see What is DHCP? In some cases, you need to adjust the file /etc/resolv.dnsmasq to use the name server for that network. Adjust the file when you create an AMI from an instance with the dnsmasq cache to launch in another VPC with a different CIDR. Or, adjust the file when you specify a custom DNS server in your DHCP options.

7.    Restart the dnsmasq server, and set the service to start up on boot:

Amazon Linux 1

sudo service dnsmasq restart
sudo chkconfig dnsmasq on

Amazon Linux 2 and Amazon Linux 2023

sudo systemctl restart dnsmasq.service
sudo systemctl enable dnsmasq.service

8.    To verify that dnsmasq works correctly, use the dig command:

dig aws.amazon.com @127.0.0.1

If the response is similar to the following example, then the dnsmasq cache works correctly:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.56.amzn1 <<>> aws.amazon.com @127.0.0.1;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25122
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;aws.amazon.com.            IN    A

;; ANSWER SECTION:
aws.amazon.com.        41    IN    A    54.239.31.69

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
...

9.    Set the dnsmasq DNS cache as the default DNS resolver.

Note: You must suppress the default DNS resolver that DHCP provides. To do this, change or create the /etc/dhcp/dhclient.conf file. For more information, see My private Amazon EC2 instance is running Amazon Linux, Ubuntu, or RHEL. How do I assign a static DNS server to the EC2 instance that persists during reboot?

10.    Configure the default DNS resolver as a fallback option:

sudo bash -c "echo 'supersede domain-name-servers 127.0.0.1, 169.254.169.253;' >> /etc/dhcp/dhclient.conf"

11.    To apply the change, run the dhclient command, restart the network service, or reboot your instance:

sudo dhclient

-or-

sudo systemctl restart network

-or-

sudo reboot

To verify that your instance uses the DNS cache, run the dig command:

dig aws.amazon.com

If the response indicates that the replying server is 127.0.0.1, then the DNS cache works correctly:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.56.amzn1 <<>> aws.amazon.com;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1028
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;aws.amazon.com.            IN    A

;; ANSWER SECTION:
aws.amazon.com.        55    IN    A    54.239.31.69

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) <<<-------
...

Automate dnsmasq

To automate the installation and configuration of dnsmasq as a DNS resolver on Amazon Linux, use one of the following options:

• AutomateDnsmasq.sh bash script
• AutomateDnsmasq.cloudinit directives

If you want to automate the dnsmasq installation on other Linux distributions, then use either file to make the necessary customization.

Both files can run on VPC instances because they use the Amazon DNS server alternative address of 169.254.169.253.

To run either file at launch time, pass the contents of the file in the user data field. You can run the Bash script as a standalone script or with an AWS Systems Manager run command to perform the actions on an instance.

To run the Bash script as a standalone script, complete the following steps:

1.    Download the script on your instance, and make it runnable:

wget https://raw.githubusercontent.com/awslabs/aws-support-tools/master/EC2/AutomateDnsmasq/AutomateDnsmasq.shchmod +x AutomateDnsmasq.sh

2.    Run the following command as a root user, or use sudo:

sudo ./AutomateDnsmasq.sh

Related information

Amazon EC2 instance IP addressing