AWS Security Blog

How to Set Up DNS Resolution Between On-Premises Networks and AWS by Using Unbound

In previous AWS Security Blog posts, Drew Dennis covered two options for establishing DNS connectivity between your on-premises networks and your Amazon Virtual Private Cloud (Amazon VPC) environments. His first post explained how to use Simple AD to forward DNS requests originating from on-premises networks to an Amazon Route 53 private hosted zone. His second post showed how you can use Microsoft Active Directory (also provisioned with AWS Directory Service) to provide the same DNS resolution with some additional forwarding capabilities.

In this post, I explain how you can set up DNS resolution between your on-premises DNS with Amazon VPC by using Unbound, an open-source, recursive DNS resolver. This solution is not a managed solution like Microsoft AD and Simple AD, but it does provide the ability to route DNS requests between on-premises environments and an Amazon VPC–provided DNS.

Overview of Unbound

Unbound allows resolution of requests originating from AWS by forwarding them to your on-premises environment—and vice versa. For the purposes of this post, I will focus on a basic installation of Amazon Linux with the configuration necessary to direct traffic to on-premises environments or to the Amazon VPC–provided DNS, as appropriate. Review the Unbound documentation for details and other configuration options.

The following diagrams show an AWS architecture that uses Unbound to forward DNS traffic. The first diagram illustrates requests originating from AWS. Traffic matching the on-premises domain is redirected to the on-premises DNS server. All traffic not matching the on-premises domain will be forwarded to the Amazon VPC–provided DNS.

Diagram showing requests originating from AWS

The second diagram illustrates requests originating from an on-premises environment. The on-premises environment forwards traffic to Unbound, which in turn forwards the traffic to the Amazon VPC–provided DNS.

Diagram showing requests originating from an on-premises environment

Step 1: Install Unbound on Amazon EC2

To make the installation of Unbound as automated as possible, you will use EC2 user data to run shell commands at launch. The easiest way to do this is by creating a new EC2 instance.

To create an EC2 instance with Unbound:

  1. In the AWS Management Console, click EC2 under Compute.
  2. From the EC2 console, click Launch Instance.
  3. In Step 1: Choose an Amazon Machine Image (AMI), select the latest 64-bit Amazon Linux Amazon Machine Image (AMI), which should be at the top of the Quick Start list.
  4. In Step 2: Choose an Instance Type, select an instance with enough compute capacity to handle your DNS traffic. An m4.large or m3.medium instance type would be a good place to start.
  5. On the Step 3: Configure Instance Details page, (see the following screenshot) select an Amazon VPC and Subnet. If you have a preferred private Primary IP for the instance, type it under the Network Interface section. If you do not set a private Primary IP, Amazon VPC will assign one. Take note of the IP address of the instance because you will need it in a later step.Screenshot of Configure Instance Details step in wizard
  1. While still on the Configuration Instance Details page, paste the following shell script in the User data box As text, as show in the preceding screenshot. Update the vpc_dns, onprem_domain, and onprem_dns variables in the script to reflect your DNS servers on-premises and in the Amazon VPC as well as the domain name you use for on-premises. Note that the Amazon VPC–provided DNS IP address will always be your Amazon VPC CIDR block “plus two.” For example, if your Amazon VPC uses 198.51.100.0/24, the VPC-provided DNS is 198.51.100.2.
#!/bin/bash
# Set the variables for your environment
vpc_dns=198.51.100.2
onprem_domain=example.local
onprem_dns=192.0.2.2

# Install updates and dependencies
yum update -y
yum install -y gcc openssl-devel expat-devel
# Get, build, and install latest Unbound
wget https://unbound.net/downloads/unbound-latest.tar.gz
tar -zxvf unbound-latest.tar.gz
cd unbound-*
./configure && make && make install
# Add run-time user
useradd unbound

# Write Unbound configuration file with values from variables
cat << EOF | tee /usr/local/etc/unbound/unbound.conf
server:
        interface: 0.0.0.0
        access-control: 0.0.0.0/0 allow
forward-zone:
        name: "."
        forward-addr: ${vpc_dns}
forward-zone:
        name: "${onprem_domain}"
        forward-addr: ${onprem_dns}
EOF

# Install Unbound as service and run
cat << EOF | tee /etc/init/unbound.conf
start on runlevel [2345]
exec /usr/local/sbin/unbound
EOF

start unbound

When the script runs, it installs Unbound with all its dependencies, creates a configuration file using the values you have supplied, and configures the Unbound service to launch on subsequent instance reboots.

  1. In Step 4: Add Storage, leave the defaults selected.
  2. In Step 5: Tag Instance, type Unbound DNS as the Value for the Name.
  3. In Step 6: Configure Security Group, select Create a new security group (as shown in the following screenshot) and type unbound-dns in the Security group name box. Select DNS (UDP) as the Type, and select Custom IP for Source. Enter the Amazon VPC CIDR as the Custom IP (for example, 198.51.100.0/24). The VPC CIDR is available in the Network list in Step 3: Configure Instance of the Launch Instance wizard. This will allow DNS traffic to flow to the server.Screenshot of Configure Security Group step in wizard

Repeat these steps to install Unbound on at least two EC2 instances in different Availability Zones in order to provide redundant DNS servers.

Step 2: Configure your EC2 instances to use Unbound

Now that you have an instance of Unbound running in Amazon VPC, you now have to configure the EC2 instance to use Unbound as the DNS server so that on-premises domain names can be resolved. DHCP options sets allow you to assign the domain name, domain name servers, and other DHCP options.

  1. In the AWS Management Console, click VPC under Networking.
  2. Click DHCP Options Sets in the left pane and then click Create DHCP options set.
  3. In Name tag box, type Unbound DNS.
  4. In Domain name servers box, type the IP addresses of the Unbound instances you noted in Step 5 when creating the Unbound instance. Separate multiple entries with commas.
  5. Click the Yes, Create button to create the DHCP options set.
    Screenshot of creating a DHCP options set
  1. Associate the DHCP options set with your Amazon VPC by clicking Your VPCs in the left pane of the VPC console.
  2. Right-click the Amazon VPC with which you want to use Unbound, and then select the DHCP options set you just created.Screenshot of selecting the DHCP options set you just created

Multiple Amazon VPCs in a single region can use an Unbound DNS server across an Amazon VPC peering connection, which allows Amazon VPC to host Unbound as a shared service with other Amazon VPCs. You must make sure that the proper routing rules are created and the security group assigned to the Unbound instance is configured to allow traffic inbound from the peered Amazon VPCs. For more information, see Peering to One VPC to Access Centralized Resources.

Step 3: Configure on-premises DNS to forward to Unbound

For on-premises resources to resolve domain names assigned to AWS resources, you must take additional steps to configure your on-premises DNS server to forward requests to Unbound. Ensure the following are configured:

  • Your on-premises DNS has a forwarder that directs requests for the AWS-hosted domains to EC2 instances running Unbound . Refer to the documentation for your on-premises DNS server to configure DNS forwarders.
  • You have an Amazon VPN or AWS Direct Connect with routing rules that allow DNS traffic to pass through to the Amazon VPC.
  • The security group assigned to Unbound instances allows traffic from your on-premises DNS server that will forward requests. Revisit #9 in Step 1: Install Unbound on Amazon EC2. Add an entry with the on-premises CIDR that allows DNS (UDP).

Summary

You can use Unbound as a DNS forwarder to create an architecture such that DNS requests originating from your on-premises environment or your Amazon VPCs can be resolved. After you have correctly configured the setup detailed in this post, it will provide integration between DNS services.

If you have comments, submit them in the “Comments” section below. If you have questions, start a new thread on the Directory Service forum.

– Jason