Disabling DNS Recursion within a private zone


A customer is asking how to disable recursive DNS in R53 in re private zones. Any ideas on this?

We would like to use Route53 Private DNS Zone and access that zone from a VPC. All well and good there.

When we use the subnet .2 ip address to resolve internal zones all well and good, however when we resolve an internet address like google.com it also resolves. The problem with this is that DNS can be used as an exfiltration method for sensitive secrets.

How do we turn DNS recursion off for route53 Private DNS zones?

asked 7 years ago866 views
1 Answer
Accepted Answer

Just to clarify Route53 is an authoritative DNS service and not recursive. It is a subtle detail, but important. i.e. if you go to Route53 directly (query name servers with NS records) and try to resolve DNS name other than R53 hosted DNS zone it will refuse. In addition private hosted zone with R53, can be associated with VPC and in that case resources with in VPC may be able to resolve DNS name for private hosted zone via VPC CIDR (2nd IP address) or ( on EC2 host in that VPC).

It the latter that provides DNS recursion and able to resolve R53 private hosted DNS zone or any DNS names such as www.amazon.com. I don't think there is a lot of control on this part, other than simply switch off/on (VPC DNS options enableDnsHostnames, enableDnsSupport set to true/false).

One option could be to setup bunch of DNS forwarders on EC2 instances and use those for forwarding/route DNS queries. Change DHCP option set for VPC and by default it points to EC2 DNS forwarders rather than (VPC CIDR; 2nd IP address). Forward DNS queries such as R53 hosted zone, queries for Amazon DNS domains such as .amazonaws.com (this is used for RDS, ELB etc) to VPC CIDR (2nd IP address) and rest to their own recursive DNS servers(or deny), if possible.

This doesn't prevent for someone with in VPC to go directly to VPC CIDR (2nd IP address) or ( on EC2) and try recursive queries, as long as enableDnsHostnames,enableDnsSupport:true for VPC. So it is obfuscation at best.

answered 7 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions