How do I configure a Route 53 Resolver outbound endpoint to resolve DNS records hosted on a remote network from resources in my VPC?

5 minute read
0

I want to configure an Amazon Route 53 Resolver outbound endpoint to forward DNS queries from my remote network to Amazon Elastic Compute Cloud (Amazon EC2) instances in Amazon Virtual Private Cloud (Amazon VPC).

Short description

To configure a Route 53 Resolver outbound endpoint, create an endpoint in your Amazon VPC and specify target IP addresses. Then, set up Resolver rules to forward DNS queries to your remote DNS servers.

Resolution

Prerequisites

  • Turn on DNS resolution in the DNS attributes for your VPC that's associated with the Resolver rule.
  • For custom DNS servers or Active Directory servers in your VPC DHCP options, configure them to conditionally forward DNS queries to your VPC's DNS servers. For example, if the primary CIDR range for your VPC is 172.31.0.0/16, then your VPC DNS server's IP address is 172.31.0.2. This is the Amazon VPC network range plus two.
  • If you're not using a custom DNS server in your VPC, then set the domain name servers in DHCP options to either:
    AmazonProvidedDNS
    The reserved IP address (VPC IPv4 network range plus two)

Configure an outbound endpoint

To configure an outbound endpoint, complete the following steps:

  1. Open the Route 53 console.
  2. In the navigation pane, choose Outbound endpoints.
  3. In the navigation bar, choose the Region for the VPC where you want to create the outbound endpoint.
  4. Choose Create outbound endpoint.
  5. On the Create outbound endpoint page, complete the General settings for outbound endpoint section.
    Choose a Security group that allows outbound TCP and UDP connectivity to the following:
    IP addresses that the resolvers use for DNS queries on your remote network.
    Ports that the resolvers use for DNS queries on your remote network.
  6. Complete the IP addresses section.
    You can set the Resolver to choose IP addresses from the available IP addresses in the subnet or specify IP addresses.
    Choose between a minimum of two and maximum of six IP addresses for DNS queries.
    It's a best practice to choose IP addresses in at least two different Availability Zones.
  7. For Subnet, select subnets that have:
    Route tables with routes to your remote network DNS resolver IP addresses. You can use AWS Direct Connect, AWS VPN connection, or NAT gateway for these routes.
    Network access control lists (ACLs) that allow UDP and TCP traffic to resolver IP addresses and ports on your remote network.
    Traffic from resolvers on destination port range 1024-65535.
  8. (Optional) Complete the Tags section.
  9. Choose Submit.

Configure a Resolver rule

To create a new Resolver rule, complete the following steps:

  1. Open the Route 53 console.
  2. Choose Rules from the Route 53 navigation pane.
  3. On the navigation bar, choose the Region where the newly created outbound endpoint exists.
  4. Choose Create rule.
  5. On the Create rule page, complete the Rule for outbound traffic sections.
    For Rule type, configure a Forward rule. Associate it to the VPC from where you want the rule to forward DNS queries to your remote network.
    For Outbound endpoint, choose the outbound endpoint that you created.
    Note: The VPC that's associated with this rule doesn't need to be the same VPC where you created the outbound endpoint.
  6. Complete the IP addresses section.
    For IP address, specify the IP addresses of the DNS resolvers on your remote network.
    For Port, specify the ports that these resolvers use for DNS queries.
    Note: Resolver forwards any DNS queries that match this rule and originate from a VPC that's associated with this rule to the referenced outbound endpoint. In this case, Resolver forwards these queries to the target IP addresses that you specified in the IP addresses section.
  7. (Optional) Complete the Tags section.
  8. Choose Submit.

For a rule in your AWS account:

  • If you have an existing rule for the same domain and AWS Region as your VPC, then don't create a new rule.
  • Instead, select the rule from the dashboard and associate it with your VPCs in that Region.

For a rule in a different account:

  • Use AWS Resource Access Manager to share the rule from the remote account to your account.
  • When shared, you also receive access to the corresponding outbound endpoint.
  • Select the shared rule from your dashboard and associate it with your VPCs.

Note: You don't need network connectivity between your VPCs to forward DNS queries to a Resolver rule. This applies to VPCs in the same or different accounts. Network connectivity is only required between your outbound endpoint's VPC and the remote DNS resolvers.

Test your configuration

To test your configuration, perform a DNS resolution from one of the Amazon EC2 instances in your VPC:

  • For Linux or macOS: dig <record name> <record type>
  • For Windows: nslookup -type=<record type> <record name>

Related information

Resolving DNS queries between VPCs and your network

Forwarding outbound DNS queries to your network

Managing outbound endpoints