Stay up to date with the latest from the Knowledge Center. See all new and updated Knowledge Center articles published in the last month and re:Post’s top contributors.
How do I use and override auto-defined reverse DNS rules with Route 53 Resolver?
I want to use and override auto-defined reverse DNS rules with Amazon Route 53 Resolver.
Resolution
Prerequisites:
- Turn on the DNS resolution and DNS hostnames attributes of the virtual private cloud (VPC).
- Make sure DNS queries are sent to the Amazon-provided DNS resolver of that VPC.
After DNSHostname is turned on, a Route 53 Resolver automatically creates auto-defined system rules that define how queries for selected domains are resolved by default. To override an auto-defined rule, create a forwarding rule (Resolver rule) for the domain name. Reverse DNS name resolution with Resolver depends on auto-defined rules, Resolver rules, and private hosted zone configurations.
The Amazon-provided DNS resolver evaluates the "most specific domain name" rule in the following priority order:
- Resolver rules: Rules that are manually configured for the domain name that the Resolver forwards to the target IP address.
- Rules for private hosted zones: For each private hosted zone you associate with a VPC, the Resolver creates a rule and associates it with the DNS resolver of the VPC. If you associate the private hosted zone with multiple VPCs, then Resolver associates the rule with each VPC's DNS resolver.
- Auto-defined rules for reverse DNS: Resolver creates auto-defined rules for reverse DNS lookup and localhost-related domains when you set enableDnsHostnames for the associated VPC to true.
Auto-defined rules apply to the CIDR block ranges of a VPC and all connected VPCs with DNS support turned on. Resolver creates the most generic rules possible given the CIDR block range.
Override auto-defined rules
The following example uses following resources:
- DNS query source VPC1 with CIDR 10.237.52.0/22.
- DNSHostname attribute = Enabled.
- DNSSupport attribute = Enabled.
- A VPC2 that's connected through a transit gateway or VPC peering with DNS support activated, with CIDR 10.104.2.0/24
- VPC DNS resolver = Amazon-provided DNS resolver.
- Route 53 Resolver outbound endpoint with connectivity to 192.168.1.4/32, The DNS server located in another network.
The following is an example of auto-defined system rules that are created by Resolver.
| Rules for private IP addresses | Rules for VPC1 CIDR | Rules for VPC2 CIDR (Peered VPC) |
| 10.in-addr.arpa. | 52.237.10.in-addr.arpa. | 2.104.10.in-addr.arpa. |
| 16.172.in-addr.arpa. through 31.172.in-addr.arpa | 53.237.10.in-addr.arpa. | |
| 168.192.in-addr.arpa. | 54.237.10.in-addr.arpa. | |
| 254.169.254.169.in-addr.arpa. | 55.237.10.in-addr.arpa. |
The following is an example of DNS resolution requirements for the environment where queries are forwarded.
| Priority number | CIDR for reverse DNS query | Destination DNS server |
| 1 | 10.237.53.0/24 | 192.168.1.4/32 (another network) |
| 2 | 10.237.52.0/22 except 10.237.53.0/24 | Amazon-provided DNS resolver |
| 3 | 10.104.2.0/24 | Private hosted zone |
| 4 | 10.0.0.0/8 except all of the above | 192.168.1.4/32 (another network) |
To get the preceding configuration, complete the following steps:
Note: The source that performs the DNS query is VPC1 and all requests are sent to the Amazon-provided DNS IP address.
- Create a Resolver rule for domain 53.237.10.in-addr.arpa to override the auto-defined system rule for IP addresses in the 10.237.53.0/24 range. Set the target IP address to 192.168.1.4/32. Because the IP address range 10.237.53.0/24 is part of VPC1 CIDR 10.237.52.0/22, there are auto-defined system rules that apply to this IP address range.
- For IP addresses in the 10.237.52.0/22 except 10.237.53.0/24 range, auto-defined system rules are available. The Amazon-provided DNS resolver resolves these DNS queries.
- Create a private hosted zone for domain name 2.104.10.in-addr.arpa. For IP addresses in the 10.104.2.0/24 range, there's already an auto-defined most specific rule available for VPC2 CIDR. However, rules for private hosted zones have higher priority over auto-defined rules.
- Create a Resolver rule for domain name 10.in-addr.arpa. This rule sends reverse DNS queries for IP addresses in 10.0.0.0/8 range to a DNS server in another network with an IP address of 192.168.1.4/32. The only exception is for IP addresses in the 10.237.52.0/22 and 10.104.2.0/24 ranges. The rule also overrides the auto-defined system rule.
The following rules now meet the requirements and are considered by the Resolver based on priority:
- Custom Resolver rules: 53.237.10.in-addr.arpa. and 10.in-addr.arpa.
- Rule created for private hosted zone: 2.104.10.in-addr.arpa.
The reverse DNS query for IP addresses in the 10.0.0.0/8 range are resolved based on Resolver rule priority. The following rules for the private hosted zone and the auto-defined rules are based on the most specific domain name:
| Priority number | IP address range for reverse DNS query | Destination DNS server |
| 1 | 10.237.53.0/24 | By 192.169.1.4/32 using "most specific Resolver rule" |
| 2 | 10.237.52.0/22 except 10.27.53.0/24 | By Amazon-provided DNS resolver with default rules ("most specific system rule") |
| 3 | 10.104.2.0/24 | By Amazon-provided DNS resolver with default rules created for the private hosted zone |
| 4 | 10.0.0.0/8 except all of the above | By 192.168.1.4/32 with Resolver rule (There are no other more specific rules available. Resolver rule with domain name 10.in-addr.arpa. has higher priority over auto-defined rules for the same domain name.) |
You can also turn off default reverse DNS rules with Route 53 Resolver. For more information, see Forwarding rules for reverse DNS queries in Resolver.
Related information
Relevant content
- asked 2 years ago
- asked a year ago
- asked 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
