How can I allow access only via FQDN to instances from another directory service domain?

Hello! If I understand you correctly, you have this scenario:

1. You have two directories, let's call it a.local and b.local.
2. You need computers joined to a.local to resolve hostnames in b.local and viceversa.

Operating systems use the concept of DNS suffixes (Windows) or DNS search order (UNIX-like OS). This is what allows a computer to request the dns of "server" and it is automatically converted to a FQDN using a suffix (i.e a.local). So when querying "server", the OS is actually querying server.a.local. You can check this behavior with any packet capture software. You can add several suffixes. For example, in Windows you can do this in the network interface adapter.

So, in order to get this working, you need two things:

1. Add the new suffixes to your clients (machines)
2. Ensure that both DNS servers (i.e domain controllers) can resolve each other's resources.

For 2), this depends on the DNS IP addresses you are using:

1. If you are using the domain controllers IP addresses, you need to add conditional forwarders [1].
2. If you are using Route 53, you need to create outbound DNS resolvers [2]. I suggest to read this AWS blog [3] for a deeper understanding of how to integrate DNS between AD and Route 53.

Have a great day ahead!

[1] https://woshub.com/dns-conditional-forwarding-policy-windows-server/ [2] https://repost.aws/knowledge-center/route53-resolve-with-outbound-endpoint [3] https://aws.amazon.com/blogs/networking-and-content-delivery/integrating-your-directory-services-dns-resolution-with-amazon-route-53-resolvers/