By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I use an Amazon provided DNS name on a Linux machine that's joined with AWS Managed Microsoft AD to mount Amazon EFS?

6 minute read
1

I use AWS Directory Service for Microsoft Active Directory. I joined my Amazon Elastic Compute Cloud (Amazon EC2) Linux instances to the Active Directory domain. Now, I can't use the EFS DNS name to mount the Amazon Elastic File System (Amazon EFS).

Short description

AWS Managed Microsoft AD forwards all DNS requests to the IP address of the Amazon provided DNS servers for your Amazon Virtual Private Cloud (Amazon VPC). The DNS servers resolve the names that you configured in your Amazon Route 53 private hosted zones. If you don't use Route 53 private hosted zones, then AWS Managed Microsoft AD forwards your DNS requests to public DNS servers. As a result, the DNS requests resolve only to public IP addresses.

Amazon EFS file system domain names automatically resolve to the mount target's IP address in the same VPC. When you change the DNS servers from the default Amazon provided DNS, the file system can't resolve the IP address and the DNS mount fails.

Resolution

Configure your DNS servers

The following example uses AWS Managed Microsoft AD. The DNS servers are 172.31.28.100 and 172.31.4.147. The file system is in the same virtual private cloud (VPC) with the mount target 172.31.47.69.

Complete the following steps:

  1. To confirm that the Linux EC2 instance can connect to the Amazon EFS mount target IP address 172.31.47.69, run the following command:

    nc -vz 172.31.47.69 2049Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 172.31.47.69:2049.
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.

  2. On the EC2 Linux server, use the DNS name to mount the file system:

    sudo mount -t efs -o tls fs-123456:/ efs
df -Th
Filesystem     Type      Size  Used Avail Use% Mounted on
devtmpfs       devtmpfs  475M     0  475M   0% /dev
tmpfs          tmpfs     483M     0  483M   0% /dev/shm
tmpfs          tmpfs     483M  516K  483M   1% /run
tmpfs          tmpfs     483M     0  483M   0% /sys/fs/cgroup
/dev/xvda1     xfs       8.0G  1.6G  6.5G  19% /
tmpfs          tmpfs      97M     0   7M   0% /run/user/0
tmpfs          tmpfs      97M     0   97M   0% /run/user/1000
127.0.0.1:/    nfs4      8.0E     0  8.0E   0% /home/ec2-user/efs

    Then, unmount the file system:

    sudo umount /efs

    On the EC2 Linux server, the /etc/resolv.conf file shows the Amazon provided DNS and name server:

    cat /etc/resolv.conf                 
        ; generated by /usr/sbin/dhclient-script
        search eu-west-2.compute.internal
        options timeout:2 attempts:5
        nameserver 172.31.0.2

  3. To integrate AWS Managed Microsoft AD and configure the Active Directory DNS servers on the EC2 Linux server, run the following commands:

    echo 'supersede domain-name-servers 172.31.28.100, 172.31.4.147;' | sudo tee --append /etc/dhcp/dhclient.conf
echo 'supersede domain-search "rachel.com";' | sudo tee --append /etc/dhcp/dhclient.conf
sudo dhclient -r
sudo dhclient

  4. To check that you configured the correct DNS servers in the /etc/resolv.conf file, run the following command:

    cat /etc/resolv.conf 
options timeout:2 attempts:5
; generated by /usr/sbin/dhclient-script
search rachel.com. eu-west-2.compute.internal
nameserver 172.31.28.100
nameserver 172.31.4.147

  5. Run the following command to check that the EFS DNS name returns NXDOMAIN:

    dig fs-123456.efs.eu-west-2.amazonaws.com  
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> fs-123456.efs.eu-west-2.amazonaws.com
;; global options: +cmd

    Example output:

    ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57378
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;fs-123456.efs.eu-west-2.amazonaws.com. IN A

    Note: In the preceding output, the DNS request doesn't resolve to an A record, and the status is NXDOMAIN. If you use the DNS name to mount your file system, then the mount fails.

  6. To use DNS to mount your file system, confirm that the DNS name resolves to the Amazon provided name server for the VPC:

    dig @172.31.0.2 fs-123456.efs.eu-west-2.amazonaws.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> fs-123456.efs.eu-west-2.amazonaws.com
;; global options: +cmd

    Example output:

    ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24926
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;fs-123456.efs.eu-west-2.amazonaws.com. IN A

;; ANSWER SECTION:
fs-123456.efs.eu-west-2.amazonaws.com. 60 IN    A 172.31.25.79

Create a conditional forwarder rule

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

To mount your file system, configure conditional forwarders for your AWS Managed Microsoft AD that forward DNS requests to the Amazon provided DNS. You can then resolve DNS requests from AWS services to private IP addresses when you use the Active Directory provided DNS.

Note: The Amazon provided DNS IP address is the reserved IP address at the base of the VPC IPv4 network range plus two.

To create a conditional forwarder rule, complete the following steps:

  1. Run the create-conditional-forwarder AWS CLI command on the Linux EC2 instance that you want to mount the file system on:

    aws ds create-conditional-forwarder --directory-id d-9c671fb35f --remote-domain-name amazonaws.com --dns-ip-addrs 172.31.0.2 --region eu-west-2

    Use the following parameters:
    For directory-id, enter your Active Directory ID.
    For remote-domain-name, specify any domain. The rule is applied to all fully qualified domain names (FQDN) that match your domain or subdomains.
    For dns-ip-addrs, enter the Amazon provided DNS IP address.

  2. To confirm the DNS resolution resolves to the EFS mount target IP address, run the dig command. The output looks similar to the following and shows the DNS resolution of the file system DNS:

    dig fs-123456.efs.eu-west-2.amazonaws.com 
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> fs-123456.efs.eu-west-2.amazonaws.com
;; global options: +cmd

    Example output:

    ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24926
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;fs-123456.efs.eu-west-2.amazonaws.com. IN A
;; ANSWER SECTION:
fs-123456.efs.eu-west-2.amazonaws.com. 60 IN    A 172.31.25.79

  3. To use the DNS name to mount the file system, run the following command:

    sudo mount -t efs -o tls fs-123456:/ efs
[ec2-user@ip-172-31-35-167 ~]$ df -Th
Filesystem     Type      Size  Used Avail Use% Mounted on
devtmpfs       devtmpfs  475M     0  475M   0% /dev
tmpfs          tmpfs     483M     0  483M   0% /dev/shm
tmpfs          tmpfs     483M  520K  483M   1% /run
tmpfs          tmpfs     483M     0  483M   0% /sys/fs/cgroup
/dev/xvda1     xfs       8.0G  1.6G  6.5G  19% /
tmpfs          tmpfs      97M     0   97M   0% /run/user/0
tmpfs          tmpfs      97M     0   97M   0% /run/user/1000
127.0.0.1:/    nfs4      8.0E     0  8.0E   0% /home/ec2-user/efs

Related information

Configuring DNS servers for Simple AD

Mounting on Amazon EC2 with a DNS name

How do I see a list of my Amazon EC2 instances that are connected to Amazon EFS?

How can I mount an Amazon EFS volume to AWS Batch in a managed compute environment?

Topics
Storage
Tags
Amazon Elastic File System
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago
No comments

Relevant content