I want to configure an Amazon Route 53 Resolver inbound endpoint to resolve records in my private hosted zone from my remote network.
Short Description
Amazon Virtual Private Cloud (Amazon VPC) allows your VPC to receive automatic DNS resolution from the Route 53 Resolver. Amazon Elastic Compute Cloud (Amazon EC2) instances in a VPC can send DNS queries to the Resolver. To do this, the instance uses the reserved IP address at the base of the VPC CIDR IPv4 network range plus two. If there’s network connectivity between the remote network and VPC, then the remote network's DNS resolvers can forward DNS queries to the VPC's resolver. AWS Direct Connect or a VPN connection accomplishes this connectivity. However, the Resolver doesn’t accept DNS queries from IP addresses that are outside of the VPC network range. To resolve this, create an inbound endpoint in your VPC. This inbound endpoint forwards its received DNS queries to Resolver. The processing for these queries is the same as for queries that originate from within the VPC.
Resolution
Complete the prerequisites
First, turn on DNS hostnames and DNS resolution in the DNS support attributes for the VPC where you want to create an inbound endpoint.
Then, associate the applicable private hosted zone with that VPC.
If the private hosted zone and the VPC are in the same account, then complete the following steps:
- Open the Route 53 console.
- In the navigation pane, choose Hosted Zones.
- Choose the private hosted zone that contains the records that you want to query.
- In the search bar, search for your VPC. Then, choose Associate New VPC.
If the private hosted zone and VPC are in different accounts, then use the AWS Command Line Interface (AWS CLI) to perform cross account association.
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
Confirm that your on-premises DNS server sends only recursive queries. Route 53 inbound resolver doesn’t support iterative queries.
Confirm that the route table that's associated with the subnets where you created the inbound endpoint resolver includes a route to the on-premises network.
If you use custom network access control lists (network ACLs) with the subnet where you created the inbound endpoint, then you must allow certain traffic. Make sure that the network ACLs allow traffic on the following ports:
- UDP and TCP traffic to(Outbound NACL rule) the on-premises DNS server on destination port range 1024-65535.
- UDP and TCP traffic from(Inbound NACL rule) the on-premises DNS server on port 53.
- Any security group that's associated with the inbound must allow traffic on TCP and UDP port 53 from your on-premises DNS server IP address.
If you have a firewall between the on-premises network and AWS, then the firewall must permit certain traffic. Make sure that it allows traffic on TCP and UDP port 53 for your on-premises DNS server IP addresses.
You must also establish connectivity to the inbound resolver endpoint IP addresses over the AWS Direct Connect connection.
Configure an inbound endpoint
1. Open the Route 53 console.
2. In the navigation pane, choose Inbound endpoints.
3. On the navigation bar, choose the AWS Region for the VPC where you want to create the inbound endpoint.
4. Choose Create inbond endpoint.
5. Complete the General settings for inbound endpoint. Choose a Security group for this endpoint that allows inbound UDP and TCP traffic from the remote network on destination port 53.
6. Choose 2-6 IP addresses for DNS queries. You can let Resolver choose IP addresses for you from the available IP addresses in the subnet. Or, you can specify the IP addresses. It's a best practice to choose IP addresses in at least two different Availability Zones.
7. For the Subnet of each IP address, choose subnets that have the following values:
Corresponding route tables: These route tables must include routes to the IP addresses of the DNS resolvers on your remote network through AWS Direct Connect or a VPN.
Network ACLs: These must allow both UDP and TCP traffic from the remote network on destination port 53. Also, they must allow both UDP and TCP traffic to the remote network on the destination port range of 1024-65535. Depending on your client type, you might use a different range for your network ACLs.
8. (Optional) Complete the Tags section.
9. Choose Create inbound endpoint.
Note: There's no FQDN for inbound resolver. Therefore, when you create an inbound endpoint, Route 53 creates elastic network interfaces in the selected subnet. The IP addresses of these network interfaces forward the DNS queries.
Test your configuration
Before testing, confirm that your configuration accounts for the following conditions:
- The remote network's DNS server must conditionally forward DNS queries for the private hosted zone’s domain name to the inbound endpoint's IP addresses.
- The remote DNS server must forward DNS queries for the domain name instead of delegating authority of the domain name to the inbound endpoint.
- Inbound endpoints must support only recursive DNS queries. Iterative DNS queries that are sent to the inbound endpoints time out. If the on-premises DNS server sends a DNS query with Recursion Desired set to 0 (false), then the inbound endpoint doesn't provide an answer. You can find this information in the packet capture.
- If you use AWS Transit Gateway, then verify that the subnets are associated with Transit Gateway attachments. This is necessary to resolve DNS queries.
To test your configuration, perform DNS resolution for one of the records in the private hosted zone from a client on the remote network. In the following commands, replace RECORD_NAME and RECORD_TYPE with your relevant values:
For Linux or MacOS, run dig RECORD_NAME RECORD_TYPE, such as in the following example:
dig example.com A
For Windows, run nslookup RECORD_NAME RECORD_TYPE, such as in the following example:
nslookup example.com
Related Information
Resolving DNS queries between VPCs and your network
Forwarding outbound DNS queries to your network
Managing outbound endpoints
How do I troubleshoot DNS resolution issues with Route 53 Resolver endpoints?