- Newest
- Most votes
- Most comments
You cannot do this. If the zone apex is the same for private and public zones (domain.com and domain.com), if the record is not in the internal zone, it will return NXDOMAIN. From the documentation.
If there's a private hosted zone name that matches the domain name in the request, the hosted zone is searched for a record that matches the domain name and DNS type in the request, such as an A record for accounting.example.com.
Note:
If there's a matching private hosted zone but there's no record that matches the domain name and type in the request, Resolver doesn't forward the request to a public DNS resolver. Instead, it returns NXDOMAIN (non-existent domain) to the client.
The documentation here indicates that if a record is duplicated in the public and private host zones, it will be transferred to the zone with the best match.
In other words, if a record is not registered in the private host zone, it is supposed to query the public host zone.
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-considerations.html
Public and private hosted zones that have overlapping namespaces If you have private and public hosted zones that have overlapping namespaces, such as example.com and accounting.example.com, Resolver routes traffic based on the most specific match. When users are logged into an EC2 instance in an Amazon VPC that you have associated with the private hosted zone, here's how Route 53 Resolver handles DNS queries:
Resolver evaluates whether the name of the private hosted zone matches the domain name in the request, such as accounting.example.com. A match is defined as either of the following:
An identical match
The name of the private hosted zone is a parent of the domain name in the request. For example, suppose the domain name in the request is the following:
seattle.accounting.example.com
The following hosted zones match because they're parents of seattle.accounting.example.com:
accounting.example.com
example.com
If there's no matching private hosted zone, then Resolver forwards the request to a public DNS resolver, and your request is resolved as a regular DNS query.
It's look like route table configuration issue. Create 2 subnets public and private than in route table edit Subnet associations. like public route table has public IPs and private has private IPs and give internet gateway to public route table. It will resolve this issue.
Well, this is DNS query, not a standard http request ...
Relevant content
- asked a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
True, but look at point below. In my case domain matches.
If there's a private hosted zone name that matches the domain name in the request, the hosted zone is searched for a record that matches the domain name and DNS type in the request, such as an A record for accounting.example.com.
Note If there's a matching private hosted zone but there's no record that matches the domain name and type in the request, Resolver doesn't forward the request to a public DNS resolver. Instead, it returns NXDOMAIN (non-existent domain) to the client.
If some records match in the private and public host zones, it is best to change one of the records so that they do not match. Is there any reason why this cannot be changed so that the records do not match, etc.?
It's impossible. We can't change anything ..
Is it possible to change the private host zone as well? If it cannot be changed, it is honestly impossible.
no, as it's a VPN solution, so our client has public dns zone and we "mimic" his private dns zone so that every person who connects via the vpn doesn't need to modify "host" files. We cannot forward dns query to client's dns server as well ...