How can I use and override reverse DNS rules with Route 53 Resolver?

5 minuto de leitura

How do I use and override auto-defined reverse DNS rules with Amazon Route 53 Resolver?


To use Resolver rules:

After "DNSHostname" is turned on, Resolver automatically creates auto-defined system rules that define how queries for selected domains are resolved by default. To override an auto-defined rule, create a forwarding rule (Resolver rule) for the domain name. Reverse DNS name resolution with Resolver depends on auto-defined rules, Resolver rules, and private hosted zone configurations.

The Amazon-provided DNS resolver evaluates the "most specific domain name" rule in the following priority order:

  1. Resolver rules – Rules that are manually configured for the domain name that the Resolver forwards to the target IP address.
  2. Rules for private hosted zones – For each private hosted zone that you associate with a VPC, Resolver creates a rule and associates it with the DNS resolver of the VPC. If you associate the private hosted zone with multiple VPCs, Resolver associates the rule with each VPC's DNS resolver.
  3. Auto-defined rules for reverse DNS – Resolver creates auto-defined rules for reverse DNS lookup and localhost-related domains when you set "enableDnsHostnames" for the associated VPC to "true."

Rules apply to the CIDR block ranges of a VPC and all connected VPCs with DNS support enabled. Resolver creates the most generic rules possible given the CIDR block range.

Example of how to override auto-defined rules

The resources in this example are as follows:

  • DNS query source VPC1 with CIDR
  • DNSHostname attribute = Enabled
  • DNSSupport attribute = Enabled
  • Connected VPC2 (connected through a transit gateway or VPC peering with DNS support enabled) with CIDR
  • VPC DNS resolver = Amazon-provided DNS resolver
  • Route 53 Resolver outbound endpoint with connectivity to (DNS server located in another network)

The following auto-defined system rules were then created by Resolver:

Rules for private IP addressesRules for VPC1 CIDRRules for VPC2 CIDR (Peered VPC) through

The DNS resolution requirements for the environment where queries are forwarded are:

Priority numberCIDR for reverse DNS queryDestination DNS server (another network) except DNS resolver
310.104.2.0/24Private hosted zone
410.0.0.0/8 except all of the above192.168.1.4/32 (another network)

The following steps achieve the preceding configuration:
Note: The source performing the DNS query is VPC1 and all requests are sent to the Amazon-provided DNS IP address.

  1. Because the IP address range is part of VPC1 CIDR, there are auto-defined system rules that apply to this IP address range. Create a Resolver rule for domain to override the auto-defined system rule for IP addresses in the range. Set the target IP address to
  2. For IP addresses in the except range, auto-defined system rules are available. The Amazon-provided DNS resolver resolves these DNS queries.
  3. For IP addresses in the range, there's already an auto-defined most specific rule available for VPC2 CIDR. However, because rules for private hosted zones have higher priority over auto-defined rules, a private hosted zone for domain name must be created.
  4. Create a Resolver rule for domain name This rule sends reverse DNS queries for IP addresses in the range (except IP addresses in the and ranges) to a DNS server in another network with an IP address of The rule also overrides the auto-defined system rule.

The following rules now meet the requirements and are considered by the Resolver based on priority:

  • Custom Resolver rules: and
  • Rule created for private hosted zone:

The reverse DNS query for IP addresses in the range are resolved based on Resolver rule priority. The rule for the private hosted zone and the auto-defined rules based on the most specific domain name rule are as follows:

Priority numberIP address range for reverse DNS queryDestination DNS server using "most specific Resolver rule" except Amazon-provided DNS resolver using default rules ("most specific system rule")
310.104.2.0/24By Amazon-provided DNS resolver using default rules created for the private hosted zone
410.0.0.0/8 except all of the aboveBy using Resolver rule (There are no other more specific rules available. Resolver rule with domain name has higher priority over auto-defined rules for the same domain name.)

You can also disable default reverse DNS rules with Route 53 Resolver. For more information, see Forwarding rules for reverse DNS queries in Resolver.

Related information

Resolving DNS queries between VPCs and your network

Forwarding outbound DNS queries to your network

AWS OFICIALAtualizada há 2 anos