How do I configure a Route 53 Resolver outbound endpoint to resolve DNS records hosted on a remote network from resources in my VPC?

Short description

A VPC created with Amazon VPC receives automatic DNS resolution from Route 53 Resolver. You can configure the Resolver to forward DNS queries for domain names from EC2 instances in your Amazon VPCs to DNS resolvers on your remote network.

To forward DNS queries, create each of the following:

• An outbound endpoint to send DNS queries to the remote network.
• A Resolver rule to specify the domain name of the DNS queries that the Resolver forwards to the remote DNS servers.

Resolution

Prerequisites

• Turn on DNS Resolution in the DNS support attributes for the VPC associated with the Resolver rule.
• If you're using a custom DNS server in the VPC: Configure the DNS server to conditionally forward DNS queries for the applicable domain name to the Resolver. The custom DNS server must use the reserved IP address at the base of the VPC IPv4 network range plus two.
• If you're not using a custom DNS server in the VPC: Set the Domain name servers in the DHCP options to one of the following:
  • AmazonProvidedDNS
  • The reserved IP address at the base of the VPC IPv4 network range plus two

Configure an outbound endpoint

1. Open the Route 53 console.
2. In the navigation pane, choose Outbound endpoints.
3. On the navigation bar, choose the Region for the VPC where you want to create the outbound endpoint.
4. Choose Create outbound endpoint.
5. On the Create outbound endpoint page, complete the General settings for outbound endpoint section. Choose a Security group that allows outbound TCP and UDP connectivity to the following:
   • IP addresses that the resolvers use for DNS queries on your remote network.
   • Ports that the resolvers use for DNS queries on your remote network.
6. Complete the IP addresses section. You can set the Resolver to choose IP addresses for you from the available IP addresses in the subnet. Or, you can specify IP addresses. Choose between two (minimum) and six (maximum) IP addresses for DNS queries. It's a best practice to choose IP addresses in at least two different Availability Zones. For Subnet, choose subnets that have corresponding:

• Route tables that include routes to the IP addresses of the DNS resolvers on your remote network using AWS Direct Connect, a VPN connection, or a network address translation (NAT) gateway.
• Network access control lists (ACLs) that allow UDP and TCP traffic to the IP addresses and the ports that the resolvers use for DNS queries on your remote network. And, network ACLs that allow traffic from resolvers on destination port range 1024-65535.

8. (Optional) Complete the Tags section.
9. Choose Submit.

Configure a Resolver rule

To create a new rule:

1. Open the Route 53 console.
2. Choose Rules from the Route 53 navigation pane.
3. On the navigation bar, choose the Region where the newly created outbound endpoint exists.
4. Choose Create rule.
5. On the Create rule page, complete the Rule for outbound traffic sections. For Rule type, configure a Forward rule and associate it to the VPC from where DNS queries are forwarded to your remote network. For Outbound endpoint, choose the outbound endpoint that you just created.
   Note: The VPC associated with this rule doesn't need to be the same VPC where you created the outbound endpoint.
6. Complete the IP addresses section. For IP address, specify the IP addresses of the DNS resolvers on your remote network. For Port, specify the ports that these resolvers use for DNS queries.
   Note: Resolver forwards any DNS queries that match this rule and originate from a VPC associated with this rule to the referenced outbound endpoint. So, these queries are forwarded to the target IP addresses you specify in the IP addresses section.
7. (Optional) Complete the Tags section.
8. Choose Submit.

To use an existing rule:

• If you already have a rule for the same domain in the same Region as the VPC in your account: Associate the rule to your VPC instead of creating a new rule. Select the rule from the rule dashboard and associate it to the applicable VPCs in the Region.
• If you already have a rule for the same domain in the same Region as your VPC but in a different account: Use the AWS Resource Access Manager to share the rule from the remote account to your account. When you share a rule, you also share the corresponding outbound endpoint. After you share the rule with your account, select the rule from the rule dashboard and associate it to the VPCs in your account.

Note: Network connectivity isn't required to forward DNS queries from a VPC associated to a Resolver rule to the VPC where the outbound endpoint is located. This is true whether or not the VPCs are in the same account. Network connectivity to the DNS resolvers is only required from the VPC where the outbound endpoints reside.

Test your configuration

Perform a DNS resolution from one of the Amazon EC2 instances in your VPC:

• For Linux or macOS: dig <record name> <record type>
• For Windows: nslookup -type=<record type> <record name>

Related information

Resolving DNS queries between VPCs and your network

Forwarding outbound DNS queries to your network

Managing outbound endpoints