Amazon DNS server and VPC Primary CIDR block


In the documentation[1][2] it says "For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR."

I had planned out a network topology, but when I read that sentence it now has me wondering if I need to treat that first subnet in the primary CIDR block differently than any other subnet.

I'm trying to understand what that means in relation to the IP address at the network base+2 that's reserved for the AWS DNS server on each subnet. As I understand it, a Subnet can have only one IPv4 CIDR block, so does this mean that if a Subnet is given a CIDR block from a non-primary VPC CIDR then while the network base+2 address is reserved for AWS DNS, there won't be anything there?

Another possible way I can interpret that statement is that if I allocate to a VPC, and then create only one Subnet with CIDR that there might be issues with AWS DNS because there's no subnet containing Or that there might be issues if there was a network containing that IP but access to it from some other subnets is blocked by ACL?

1 Answer
Accepted Answer

Your subnet design is independent of AWS VPC DNS, see below statement:

The Amazon DNS server does not reside within a specific subnet or Availability Zone in a VPC. It's located at the address (and the reserved IP address at the base of the VPC IPv4 network range, plus two) and fd00:ec2::253. For example, the Amazon DNS Server on a network is located at For VPCs with multiple IPv4 CIDR blocks, the DNS server IP address is located in the primary CIDR block.


profile pictureAWS
answered a year ago
  • Just mentioning for clarity that this does mean that the subnet containing VPC Primary CIDR base+2 is special, and this should be taken into account with network design.

    For example, with the topology shown at the VPC is, so the DNS server will use the IP, which is located within "Availability Zone 1" / "Private subnet A". If there were ACLs that prevented any of the other subnets from communicating with that subnet then systems on those subnets could only use the IP for the AWS DNS service.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions