How do I use Route 53 to access an internal version of my website with the same domain name that is used publicly?

3 minute read
1

I want to use Amazon Route 53 to access an internal version of my website with the same domain name that is used publicly.

Short description

To maintain an internal and external version of the same domain, use Route 53 to configure a split-view DNS. The split-view DNS is also known as a split-horizon.

Resolution

For a Route 53 private hosted zone, DNS queries must come from the Virtual Private Cloud (VPC) DNS server, not a custom DNS server.

To access the internal version of your domain, complete the following steps:

  1. Make sure that DNS resolution and DNS hostnames are turned on for the source VPC.
    Note: DNS hostnames are turned on for default VPCs and custom VPCs created with the VPC wizard in the Amazon Virtual Private Cloud (Amazon VPC) console.
  2. Create a public hosted zone that matches the name of the domain.
  3. Populate the public hosted zone with the required records.
  4. Update your domain registrar's name server records with the name servers provided in your public hosted zone.
  5. Create a private hosted zone that matches the name of the public hosted zone. Then, attach the private hosted zone to the VPC where you want to resolve the domain internally.
    Note: The private zone lookup takes place within the VPC.
  6. Populate the private hosted zone with the required records.
    Note: If a record doesn't exist in the private hosted zone, then the public zone isn't queried.

DNS query responses depend on the request's source. If the request comes from within the VPC, then the responses come from the private hosted zone. If the queries are public, then the answers come from the public hosted zone.

Limitation

If you try to resolve the public DNS record from the VPC attached to private hosted zone, then DNS query won't resolve. You will also get an NXDOMAIN error. If the record doesn't exist in the private hosted zone, then the DNS query can't be forwarded from a private hosted zone to public.

You can use a workaround to resolve the public DNS record from the VPC associated with a private hosted zone. To use the workaround, create all the public records in the private hosted zone along with private records. If any query comes from a public DNS record, then it's resolved from the private hosted zone itself.

Related information

Configuring Amazon Route 53 as your DNS service

AWS OFFICIAL
AWS OFFICIALUpdated 7 days ago
4 Comments

Is there any way to get around this note? "Note: The public zone isn't queried if a record doesn't exist in the private zone."

Alan
replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 2 years ago

Any updates about question from Alan? This behavior is extremely inconvenient for cases where you want to use both types of the same domain. It seems to me that there should be another way when using AWS built-in DNS server, for example:

  • A request to a private hosted zone -> getting a record value from a private hosted zone
  • If there is no domain/record in private hosted zone -> a request to a public hosted zone -> getting a record from a public hosted zone
Sasha
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago