Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
DNS resolution with forwarding rule and PHZ
I have a scenario which involves a DNS resolution challenge in the hybrid infrastructure setup. Have configured a forwarding rule for all “.local” domains to the on-premises DNS server (x.x.x.x), while simultaneously maintaining an AWS Route 53 private hosted zone for “aws.local” with an A record pointing to y.y.y.y. When executing “dig aws.local”, the query returns the y.y.y.y IP of the PHZ instead of the on-premises DNS record x.x.x.x). I have seen as per the docs that forwarding rule takes precedence over the AWS private hosted zone configuration. Why it is using the PHZ then?
- Newest
- Most votes
- Most comments
You are correct in the sense that Forwarding rule takes priority over the Private hosted Zone for a domain.
In your case you have a setup:
- .local ----> x.x.x.x (forwarding rule)
- aws.local ---> y.y.y.y (PHZ) (That is the query will go via AWS Route53 resolver )
But you have to also remember that If there are multiple rules for the domain, then the more specific rule gets the preference. In this case since you are resolving aws.local and not any other *.local subdomain, for this we have the most specific rule defined by the PHZ. Thus it is expected to resolve to y.y.y.y IP.
In your scenario, the behavior you're observing where the Route 53 private hosted zone (PHZ) for "aws.local" is taking precedence over the forwarding rule for ".local" domains is actually the expected behavior, contrary to what you may have read.
The Route 53 Resolver follows a specific order of precedence when resolving DNS queries. Private hosted zones directly associated with the VPC where the Route 53 Resolver is operating take the highest precedence. This means that if you have a private hosted zone for "aws.local" associated with your VPC, it will be consulted before any forwarding rules are applied.
The forwarding rule for ".local" domains would only come into play if there wasn't a more specific match in a directly associated private hosted zone. In your case, since you have a specific private hosted zone for "aws.local", it's more specific than the general ".local" forwarding rule, so it takes precedence.
This behavior ensures that you have fine-grained control over your DNS resolution within your AWS environment. It allows you to override general forwarding rules with specific entries in your private hosted zones when needed.
If you want the query for "aws.local" to be forwarded to your on-premises DNS server, you would need to either:
- Remove the "aws.local" private hosted zone from your VPC.
- Create a more specific forwarding rule for "aws.local" that points to your on-premises DNS server.
- Adjust your DNS architecture to meet your specific requirements, possibly by using a different domain name for your AWS resources.
Remember, when troubleshooting DNS issues in hybrid environments, it's crucial to consider the entire DNS resolution path and the precedence rules that Route 53 Resolver follows.
Sources
Streamline DNS management for AWS PrivateLink deployment with Amazon Route 53 Profiles | Networking & Content Delivery
Hybrid Cloud DNS Options for Amazon VPC - Hybrid Cloud DNS Options for Amazon VPC
Relevant content
- asked 2 years ago
