Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I configure a Route 53 Resolver inbound endpoint to resolve DNS records in my private hosted zone from my remote network?

5 minute read
0

I want to configure an Amazon Route 53 Resolver inbound endpoint to resolve records in my private hosted zone from my remote network.

Short Description

Amazon Virtual Private Cloud (Amazon VPC) provides automatic DNS resolution through Route 53 Resolver. Create an inbound endpoint to allow DNS queries from a remote network to the private hosted zone.

Resolution

To configure an Amazon Route 53 Resolver inbound endpoint so that your remote network can resolve records in a private hosted zone, complete the following steps.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

  1. Turn on DNS hostnames and resolution in the DNS support attributes for the Amazon VPC that you plan to create an inbound endpoint for.
  2. Associate the private hosted zone with the Amazon VPC.

If the private hosted zone and Amazon VPC belong to the same AWS account, then complete the following steps:

  1. Open the Route 53 console.
  2. In the navigation pane, choose Hosted Zones.
  3. Choose the private hosted zone that contains the records that you want to query.
  4. Use the search bar to find your Amazon VPC, then choose Associate New VPC.

If the private hosted zone and Amazon VPC are in different AWS accounts, then complete the following steps:

  1. Use the AWS CLI to perform cross-account association.
    For more information, see How do I associate a Route 53 private hosted zone with a VPC on a different AWS account?
  2. Confirm that the on-premises DNS server sends only recursive queries.
  3. Confirm that the route table associated with the subnet where you plan to create the inbound endpoint includes a route to the on-premises network.
  4. If the subnet uses custom network ACLs, then update the rules to allow the following traffic:
    UDP and TCP outbound traffic to the on-premises DNS server on port range 1024–65535.
    UDP and TCP inbound traffic from the on-premises DNS server on port 53.
  5. Configure the security group for the inbound endpoint to allow TCP and UDP traffic on port 53 from the on-premises DNS server IP address.
  6. If a firewall exists between the on-premises network and AWS, then allow TCP and UDP traffic on port 53 for the DNS server IP addresses.
  7. Make sure connectivity to the inbound endpoint IP addresses is through AWS Direct Connect or VPN.

Configure the inbound endpoint

To configure the inbound endpoint, complete the following steps:

  1. Open the Route 53 console.
  2. In the navigation pane, choose Inbound endpoints.
  3. In the navigation bar, choose the AWS Region where the Amazon VPC is located.
  4. Choose Create inbound endpoint.
  5. In General settings for inbound endpoint, choose the Amazon VPC in the Region where the private hosted zone is located. Choose a security group that allows inbound UDP and TCP traffic from the remote network on destination port 53.
  6. Choose 2 to 6 IP addresses. Allow Route 53 to select IP addresses from the subnet or specify them. Use IP addresses from at least two Availability Zones.
  7. For each IP address, choose a subnet that meets the following requirements:
    The route table includes routes to the DNS resolver IP addresses on the remote network.
    The network ACL allows UDP and TCP traffic from the remote network on port 53.
    The network ACL allows UDP and TCP traffic to the remote network on destination port range 1024–65535.
  8. (Optional) Complete the Tags section.
  9. Choose Create inbound endpoint.

Note: Route 53 inbound endpoints don't have a fully qualified domain name (FQDN). When you create the endpoint, Route 53 creates elastic network interfaces in the subnet. These IP addresses forward DNS queries to the Resolver.

Test your configuration

To test your configuration, complete the following steps:

  1. Configure the remote DNS server to forward DNS queries for the private hosted zone's domain name to the inbound endpoint IP addresses.
  2. Set the DNS server to forward queries rather than delegate authority for the domain name.
  3. Confirm that the remote DNS server sends only recursive DNS queries.
  4. If the on-premises DNS server sends a DNS query with Recursion Desired set to 0, then the inbound endpoint doesn't respond. Find this information in the packet capture.
  5. If you use AWS Transit Gateway, then associate the inbound endpoint subnet with the Transit Gateway attachment.
  6. Test resolution for one of the records in the private hosted zone from a client on the remote network.

In the following commands, replace RECORD_NAME and RECORD_TYPE with your relevant values:

  • For Linux or MacOS, run dig RECORD_NAME RECORD_TYPE, such as in the following example: dig example.com A
  • For Windows, run nslookup RECORD_NAME RECORD_TYPE, such as in the following example: nslookup example.com

Related information

Resolving DNS queries between VPCs and your network

Forwarding outbound DNS queries to your network

Managing outbound endpoints

How do I troubleshoot DNS resolution issues with Route 53 Resolver endpoints?

Topics
Networking & Content Delivery
Tags
Amazon Route 53
Language
English
AWS OFFICIALUpdated 10 months ago
No comments

Relevant content