AWS Security Blog

How to Set Up DNS Resolution Between On-Premises Networks and AWS Using AWS Directory Service and Microsoft Active Directory

In my previous post, I showed how to use Simple AD to forward DNS requests originating from on-premises networks to an Amazon Route 53 private hosted zone. Today, I will show how you can use Microsoft Active Directory (also provisioned with AWS Directory Service) to provide the same DNS resolution with some additional forwarding capabilities.

Microsoft Active Directory–provided DNS won’t automatically forward requests to the VPC-provided DNS. Instead, you need to configure a DNS forwarder so that requests destined for the Route 53 private hosted zone are sent to the VPC-provided DNS. To configure a DNS forwarder, you need to install the Windows DNS Server Tools feature, a process that is described in the following paragraph.

The Microsoft Active Directory type within AWS Directory Service provides two domain controllers (each in separate AWS Availability Zones) and an Admin account that has permissions for the most common administrative activities. These include user and group management, resource management, delegation, Group Policy management, and management of DNS configurations. To access the DNS service on the Microsoft AD domain controllers, install the Windows DNS Server Tools on another Windows host. From the Add Roles and Features Wizard, select DNS Server Tools under Remote Administration Tools, as shown in the following screenshot.

Image of installing DNS Server Tools

After you have installed the DNS Server Tools and have authenticated to the Active Directory domain, run DNS Manager (dnsmgmt.msc), which prompts you to connect to the server, as shown in the following image. If you have previously connected to a DNS server with an existing installation of DNS Manager, you can manually add a DNS server connection by right-clicking the DNS node in the top-left corner and selecting Connect to DNS Server.

Image of DNS Manager

In the box after The following computer, type the IP address of one of the two provisioned AWS Directory Service for Microsoft AD domain controllers. You can obtain either IP address by selecting your Microsoft AD directory in the AWS Directory Service console.

After you have connected the DNS Manager to a Microsoft AD DNS service, you can configure the server and conditional forwarders. For example, if you want these DNS servers to forward requests for your Route 53 private hosted zone to Route 53, right-click Conditional Forwarders and select New Conditional Forwarder. Then, you can specify the private hosted zone and VPC-provided DNS IP address. Note that the VPC-provided DNS IP address will always be your VPC CIDR block “plus two.” For example, if your VPC uses 10.10.0.0/16, the VPC-provided DNS is 10.10.0.2, as shown in the following image. If you store a conditional forwarder in AWS Directory Service for Microsoft AD, it handles the replication of this to the other domain controller.

Image of new conditional forwarder

After those configuration steps, you should now be able to resolve DNS requests originating from your on-premises networks into Route 53 via an AWS-managed Microsoft AD service. The following diagram illustrates this process.

Diagram of resolving DNS requests originating from on-premises networks

Resolving DNS requests for on-premises resources originating from AWS

As I mentioned in my previous blog post, you will most likely also want resources that are deployed inside your VPCs to be able to resolve names for resources that exist in your data centers or on-premises networks. In other words, the steps I have covered so far in this post are about resolving VPC resources from existing corporate or private networks. How about resolution in the opposite direction?

With the AWS-managed Microsoft AD service, you can simply create another conditional forwarder for your on-premises DNS domains and name servers as mentioned previously in this post. Having access to DNS configuration with this service really pays off! Just launch the DNS Manager against one of your managed Microsoft AD–provided DNS servers, and create a second conditional forwarder for your on-premises domain name and DNS server IP address. You could also leverage DNS Manager to create a secondary DNS zone that is hosted on-premises. For many workloads, this may be another viable option, but it is outside the scope of this blog post.

The following diagram depicts this flow of DNS requests originating from inside the VPC with Microsoft AD.

Diagram of the flow of DNS requests originating from inside the VPC

Summary

In this post and my previous post, I showed how to use Simple AD and Microsoft AD to forward DNS requests to Route 53 in hybrid architectures. With Microsoft AD, having administrative access to the provisioned DNS server allows for additional configuration flexibility. DNS forwarders can be configured with Microsoft AD–provided DNS to route requests to Route 53 or to on-premises DNS servers.

If your AWS workloads require Microsoft Active Directory, I encourage you to leverage one of the directory types provided by AWS Directory Service. For more information about these directory types, see AWS Directory Service Product Details. Using Simple AD and Microsoft AD for a cohesive DNS strategy between on-premises networks and AWS provides additional integration options for hybrid AWS deployments.

If you have questions or comments, submit them below or on the Directory Service forum.

– Drew