Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Route53 Private

0

Hi, I have a question about Route53 DHCP Options: If you infra is running on eu-central-1 then by default the DHCP Options has a rule which is attach to your VPC to resolve the DNS request which come to the eu-central-1.compute.internal and it is ok, but if you want to have a private route53 for example 123.local then you should create a DHCP option and point to the 123.local and the attach that thing to the VPC, but then what will happened to eu-central-1.compute.internal? you can not resolve it anymore since as far as i understand you can only attach one DHCP options to VPC which is ok. or if i have 2 domains like 123.local and 321.local and want to connect both to a single VPC what should i do?

Topics
Networking & Content Delivery
Tags
Amazon Route 53Amazon VPC
Language
English
asked 2 years ago540 views
3 Answers
1

The domain name that you specify in the VPC's DHCP option set only specifies the domain name that the machines obtaining IP addresses via DHCP consider themselves as having. It doesn't affect their ability to resolve names in other DNS zones. DHCP is a mechanism by which virtual machines in your VPC can obtain IP addresses for themselves without them being manually configured in the machine's operating system, and when the VPC's DHCP service assigns an IP address to the machine, it can also tell the machine that its "default" domain name is the one specified in the DHCP option set. The machine will consider this as its "local" domain name, but it won't affect its ability to resolve DNS names for other domains.

You can associate as many private hosted zones as you have in Route 53 with your VPC. If you associate the private hosted zone 123.local with your VPC and additionally associate 321.local with the same VPC, names in both zones will resolve, and so will names in eu-central-1.compute.internal, which AWS transparently injects into your VPC's Route 53 resolver rules by default.

You won't need any BIND servers, Route 53 Resolver inbound endpoints, resolver rules, or anything else aside from associating the private hosted zones with your VPC.

EXPERT
answered 2 years ago
  • Vahag
    2 years ago

    Thanks for your answer you are fully correct and I also try to do the same thing but it is not working for me and the reason is that I try to use .local domains which due to the RFC6762 "Any DNS query for a name ending with ".local." MUST be sent to the mDNS IPv4 link-local multicast address 224.0.0.251 (or its IPv6 equivalent FF02::FB)." but if you use normal domains like .com .net it is fully ok

  • Leo K EXPERT
    2 years ago

    Do you need to use .local domains specifically, or could you choose something else for the top level domain, such as .internal? If you do need to use .local specifically, which operating system are you using? The regular concept of link local networking doesn't apply to VPCs as software-defined networks primarily designed for unicast traffic, and there are options both in Windows and Linux to disable multicast DNS resolution.

0

  1. Custom DNS Server: Set up a custom DNS server (such as a BIND server or even Route 53 Resolver inbound endpoints) within your VPC that can handle the resolution for 123.local and 321.local.

  2. Forwarding to Amazon-Provided DNS: Configure your custom DNS server to forward any unknown queries (e.g., for eu-central-1.compute.internal) to the Amazon-provided DNS server (x.x.x.2). This way, your custom DNS server will resolve your private domains and forward everything else to the default AWS DNS.

Example configuration for a BIND DNS server:

zone "123.local" {
    type forward;
    forwarders { <IP_of_custom_dns_for_123.local>; };
};

zone "321.local" {
    type forward;
    forwarders { <IP_of_custom_dns_for_321.local>; };
};

zone "." IN {
    type forward;
    forwarders { <VPC_DNS_IP_here>; };
};

  1. Route 53 Resolver: Route 53 Resolver: AWS provides Route 53 Resolver endpoints that you can configure to forward DNS queries from your VPC to different DNS servers based on domain names. Forwarding Rules: Set up inbound and outbound forwarding rules for 123.local and 321.local, and let the rest of the queries (like eu-central-1.compute.internal) resolve through the default VPC DNS server.

  2. Split-Horizon DNS: DNS Server Handling Multiple Zones: Configure your custom DNS server to handle multiple zones (e.g., 123.local, 321.local) and forward other requests (like eu-central-1.compute.internal) to the AWS DNS.

To handle custom DNS domains in a VPC while still being able to resolve eu-central-1.compute.internal, you should set up a custom DNS server that handles your custom domains and forwards all other DNS queries to the Amazon-provided DNS. You can then create a DHCP options set pointing to this custom DNS server and attach it to your VPC. This setup ensures that all necessary domains can be resolved within your VPC.

AWS
EXPERT
answered 2 years ago
  • Vahag
    2 years ago

    Thanks for you answer, but currently I have this setup EC2 (default DHCP Options) I have outbound resolvers ==> which point to my DNS server this is ok but the problem for this is the cost Is there any other way that I can have reduce the cost ?something like keep default DHCP Options but add a rule to resolver to send the DNS request to Private Route53

0

DHCP Option Set

Each Region has a default DHCP option set. Each VPC uses the default DHCP option set for its Region unless you either create and associate a custom DHCP option set with the VPC or configure the VPC with no DHCP option set.

The DHCP option Domain name is the search domain a client uses when resolving hostnames via DNS. The client will append the Domain name specified in the DHCP option when doing name resolution for a hostname that is not a fully qualified domain name (FQDN).

Let’s take a look at an example

You are using the VPC Resolver as the DNS server for your client, you create a private hosted zone (PHZ) in Route 53 named 123.local, you associate that PHZ with your VPC, and use 123.local as the DHCP option for Domain name.

Linux will add a line for the search domain in the /etc/resolv.conf. See the example below:

[ec2-user@ip-10-0-1-89 ~]$ cat /etc/resolv.conf 
nameserver 169.254.169.253
search 123.test

When the client does an nslookup for a hostname that is not an FQDN, the system will append the search domain.
If you do an nslookup for “test”, the system will acutally do the nslookup for test.123.local.

[ec2-user@ip-10-0-1-89 ~]$ nslookup test
Server:         169.254.169.253
Address:        169.254.169.253#53
Non-authoritative answer:
Name:   test.123.local
Address: 10.0.1.100

Changing the Domain name in DHCP does not change the IP name or Resource name created when the instance is launched. When you launch an EC2 instance, it will still be assigned an IP name or Resource name with the domain name eu-central-1.compute.internal.

In the example above, the VPC resolver will be able to resolve the domain name eu-central-1.compute.internal and 123.local. If you add a second private hosted zone named 321.local and associate it with the VPC, you will be able to resolve that domain name in addition to the others.

AWS
answered 2 years ago
  • Vahag
    2 years ago

    Thanks for your help but we do not need to made any change on DHCP options

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content