Active Directory Domain Services integration with Amazon Route 53

Anyone who has worked with Microsoft Active Directory Domain Services (AD DS) and domain-joined workloads in the past likely knows how critical proper DNS resolution is to healthy operations. Even if you haven’t worked with AD DS workloads, if you are reading this post, you have likely heard of some outage that was caused by DNS throughout your career that highlights the importance of DNS in modern architectures. In this post, we explore best practices for integrating Amazon Route 53 with AD DS.

Proper DNS resolution across AD DS joined systems is particularly critical. AD DS uses DNS for service discovery, enabling client systems to find the specific AD DS services they require for operation, such as domain controllers or global catalog servers. To identify the target service, client systems will query their configured DNS servers for the relevant SRV resource record. Moreover, the SRV records themselves are created and updated using dynamic DNS updates against their configured DNS servers. Another functionality to keep in mind is that depending on the application, reverse DNS records may be required to validate the hostname when a client system attempts to connect. This all makes it critical that DNS resolution and registration are working properly.

In the past, to ensure that DNS registration and resolution were working properly for domain-joined systems, it was common to see customers create a DHCP (Dynamic Host Configuration Protocol) option set for their VPCs (Virtual Private Clouds) that targeted Windows DNS-based Amazon Elastic Compute Cloud (Amazon EC2) instances directly. They would then use conditional forwarders on those DNS servers to forward requests for hosted zones in Route 53 to the Amazon Route 53 Resolver, which was previously called the VPC resolver and sometimes referred to as the .2 resolver local to the EC2 instance running the AD DS DNS service. While this configuration is simple to understand, it bypasses the distributed VPC resolver and concentrates all the DNS requests for a VPC or set of VPCs to a single instance, introducing a number of inefficiencies and challenges around scalability and availability. You can see a representation of this approach in Figure 1. However, since Route 53 Resolver endpoints and rules were introduced in 2019, customers can integrate their AD DS DNS with the Route 53 Resolver without introducing these challenges.

Figure 1: Showing DNS resolution where DHCP is pointed at AD domain controllers

A hybrid cloud environment typically refers to one or more VPCs with private IP connectivity to one or more traditional networks, such as an on-premises networks, using e.g. a VPN or DirectConnect connection. Route 53 Resolver Endpoints enable creation of a consistent view of DNS across a Hybrid Cloud network, so DNS resolution can flow from on-premise to VPC or VPC to on-premise. Inbound endpoints allow your on-premises DNS resolvers to forward some or all DNS queries across the private link to the Route 53 Resolver in your VPCs. Outbound endpoints and forwarding rules allow you to configure the Route 53 Resolver to forward certain queries back to the resolvers for your on-premises network. As in the case of Active Directory, the DNS resolver we need to integrate with sometimes runs in the same VPC.

Resolving your Active Directory domain service using Route 53 Resolver endpoints

In this post, we describe a simple environment with a single AD DS domain supporting three VPCs: prod, dev, and shared services. However, the concepts easily scale to support the complexities of real-world environments. The domain for all AWS based zones is aws.example.com, and the domain for all zones hosted on the AD DS DNS infrastructure is ad.example.com. There is one AD server running in each Availability Zone of the shared services VPC. This environment is depicted Figure 2.

Figure 2: Showing DNS resolution where DHCP is pointed at AmazonProvidedDNS and subsequently routed to a central Route53 Resolver through outbound endpoints and forwarding rules

Solution overview

For this environment, we use the default DHCP options set configured to enable resources within a given VPC to use an Amazon provided DNS known as AmazonProvidedDNS. In this configuration, resources connect to a Route 53 Resolver at the link-local IPv4 address: 169.254.169.253, VPC CIDR +2, or IPv6: fd00:ec2::253. By default, a Route 53 Resolver automatically answers DNS queries for:

• Local VPC domain names for EC2 instances (for example, ip-192-168-2-44.us-west-2.compute.internal).
• Records in private hosted zones (for example, aws.example.com).
• For public domain names, Route 53 Resolver performs recursive lookups against public name servers on the internet.

However, through the use of Resolver endpoints and rules, you can additionally configure your Route 53 Resolver to forward DNS queries to your cloud AD DS DNS servers. We configure an outbound endpoint that handles the forwarding of DNS queries for the AD fully qualified domain name (FQDN) from our VPCs to the IP addresses of the AD DS. This is accomplished by configuring a Resolver rule to direct any queries for the domain ad.example.com to the appropriate AD DS DNS server IP addresses.

Create outbound endpoint

1. On the Route 53 console, select Outbound endpoints from the left menu and then choose Create outbound endpoint.
2. Specify the VPC in which your AD DS domain lives: shared services.
3. Select or create a security group that allows all inbound and outbound traffic to and from 0.0.0/0 and ::/0. (Creating more specific rules is possible, but will introduce connection tracking, reducing the requests that can be serviced through the endpoints. You can find more information on security group connection tracking in the Amazon EC2 User Guide)
4. Choose an Endpoint Type (IPv4, IPv6, or Dual-stack) and choose a protocol in Protocols for this endpoint.

Do53 is the default Route 53 endpoint protocol in which data is relayed without additional encryption.

Figure 3: General configuration settings for the new outbound endpoint

5. Specify two IP addresses in separate Availability Zones that your Resolver will forward DNS queries to on the way to your AD resolvers. The number of endpoints required for your environment will depend on query volume. Each outbound endpoint IP has a quota of up to 10k UDP queries per second (QPS). You can find more information on the quota and sizing in the Amazon Route 53 Developer Guide.

A minimum of two IP addresses are required for redundancy and should generally be deployed in different Availability Zones.

Figure 4: IP address configuration settings for the new outbound endpoint

Create Resolver rules

1. On the Route 53 console, select Rules from the left menu and then choose Create rule.
2. Create a forwarding rule for the domain of your Active Directory DNS name, for example, ad.example.com.
3. Associate the VPCs in which these DNS queries should be forwarded from for the prod, dev, and shared services.
4. Specify the outbound endpoint created in the previous step that will receive and route the DNS queries to the IP addresses of the AD DNS server you select.

Figure 5: General configuration settings for the new forward Resolver rule

5. Specify the target IP addresses of the AD DNS servers in each Availability Zone for the queries to be forwarded to.

Figure 6: Target IP addresses for the new forward Resolver rule

6. Create a second forwarding rule by following the previous steps for the appropriate in-addr.arpa domain to handle reverse DNS. Since you want to service all 10.0.0.0/8 and 2001:db8:: reverse zones from the AD DS, use 10.in-addr.arpa and 8.b.d.0.1.0.0.2.ip6.arpa.

Given the respective CIDR blocks of our dev, prod, and shared services VPCs are 10.0.0/16, 10.0.1.0/16, and 10.2.0.0/16, the 10.in-addr.arpa domain will be less specific than the automatically created Route 53 reverse zones, so you need to disable automatic creation of reverse zones for your VPCs in Route 53. This is additionally true for your IPv6 domain.

Figure 7: Configuration settings for the Resolver rules handling reverse DNS

Disable autodefined reverse DNS resolution on VPCs

1. On the Route 53 console, select VPCs from the left menu and then select each VPC.
2. Scroll to the bottom of the page and clear the check box Enable autodefined reverse DNS resolution on this VPC.

This can also be done programmatically, or you can use Route 53 Profiles to manage these settings at scale. You can learn more in the Networking & Content Delivery Blog post Using Amazon Route 53 Profiles for scalable multi-account AWS environments.

Figure 8: Configuration settings for disabling autodefined reverse DNS resolution

Enabling hybrid DNS resolution

Now that you have configured Route 53 to forward DNS queries for the ad.example.com domain to the AD DS DNS servers, you need to ensure the systems that use the AD DS DNS servers for DNS directly (that is, systems running outside AWS) can resolve queries for the private hosted zones in Route 53 (aws.example.com). You can do this by adding inbound Route 53 Resolver endpoints and configuring conditional forwarders on the AD DS DNS servers.

Figure 9: Showing added hybrid connectivity through on-premises conditional forwarding and inbound endpoints

Create inbound resolver endpoint

1. On the Route 53 console, select Inbound endpoints from the left menu and choose Create inbound endpoint.
2. Select the VPC where your AD DS DNS servers reside: shared services.
3. Choose the subnets in which to create the endpoints. For high availability, create endpoints across multiple Availability Zones. The same sizing considerations as outbound endpoints apply to the inbound endpoints.
4. Select or create a security group that allows all inbound and outbound traffic to and from 0.0.0/0 and ::/0.
5. Review and create the inbound endpoints.

Figure 10: Configuration settings for the new inbound endpoint

Update on-premises DNS settings

1. On the DNS Manager console, connect to the AD DS DNS server.
2. Select Conditional Forwarders, and from the dropdown menu, select New Conditional Forwarder.
3. Enter the domain to forward (aws.example.com) and the IP addresses of the inbound Route 53 Resolver endpoints created in the previous section.
4. Choose Ok to save the conditional forwarder.

Figure 11: Creating a new conditional forwarder in the DNS Manager console

With these configurations in place, when a client performs a DNS lookup for a record in the aws.example.com zone, the query will be forwarded as follows:

1. Client queries AD DS DNS server for aws.example.com.
2. The AD DS DNS server has a conditional forwarder for aws.example.com to Route 53 inbound endpoints.
3. Route 53 inbound endpoint receives the query and resolves against the private hosted zone.
4. The response is returned to the AD DS DNS server and then to the client.

This setup allows AD DS-joined resources to seamlessly resolve private hosted zones in Route 53, regardless of whether the AD DS environment is deployed in AWS or connected over Direct Connect or a VPN. Route 53 Resolver rules and endpoints enable flexible integration between AD DS DNS and cloud-hosted DNS namespaces.

Cleaning Up

Disassociate the forwarding rules from all VPCs, ensuring that each rule is disassociated from every VPC it is attached to. Once you have verified that all rules are disassociated, proceed to delete the forwarding rules. After confirming the successful deletion of all forwarding rules, navigate to the resolver endpoints. Disassociate each resolver endpoint from its associated VPCs. After the disassociation process complete, delete the resolver endpoints individually.

Conclusion

In this post, we explored best practices for integrating on-premises or cloud-hosted AD DS DNS infrastructure with Amazon Route 53 private hosted zones using Amazon Route 53 Resolver endpoints and rules. This integration allows for efficient and scalable DNS resolution and registration across AD DS domain-joined resources, whether deployed within AWS or connected over Direct Connect or VPN. The solution outlined in this post reduces operational overhead and provides better scalability and availability characteristics than legacy approaches.

If you’re currently using custom DHCP option sets to target DNS servers directly within your VPCs or experiencing challenges with DNS resolution and registration for your AD DS-joined resources, we encourage you to review your current configuration and consider implementing the best practices outlined in this post. Alternatively, if you’re just getting started with integrating your AD DS infrastructure with AWS, this solution provides a scalable and highly available approach to ensure reliable DNS services for your hybrid environment.

Additional Resources

To learn more about Route 53 Resolver Endpoints, visit the Amazon Route 53 Developer Guide. For more information on the charges associated with hosted zones and resolver endpoints, visit Amazon Route 53 Pricing.

About the authors