How can I resolve Route 53 private hosted zones from an on-premises network using an Ubuntu instance?

Last updated: 2016-08-12

Short description

You can resolve domain names in private hosted zones from your on-premises network by configuring a DNS forwarder.


The following instructions assume that your on-premises network is configured with a VPN or AWS Direct Connect to an AWS VPC, and a Route 53 private hosted zone is associated with that VPC. Configure a DNS forwarder by completing the following steps:

1.    Validate that DNS resolution and DNS hostnames are enabled on the target VPC.

Note: DNS hostnames are enabled for default VPCs and VPCs that you create using the VPC wizard in the Amazon VPC console.

2.    Install BIND DNS server on your instance by using the following command:

sudo apt-get install bind9 bind9utils bind9-doc

3.    Configure the BIND server in a forward-only configuration by modifying the named.conf.options file. By default, BIND configuration files are kept at /etc/bind.

Create an access control list (ACL) for the BIND server, replacing the IP address in the following example with a list of IP addresses you trust:

acl "trusted" {
Configure BIND to forward all DNS requests to the Amazon VPC name server. The VPC name server is always the second available address in the VPC. For example, if the VPC CIDR is, then the VPC name server has the IP address of, as in the following example:

options {
                directory "/var/cache/bind";
                recursion yes;
                allow-query { trusted; };

                forwarders {

                forward only;
                dnssec-enable no;
                dnssec-validation no;
                dnssec-lookaside auto;
                auth-nxdomain no;
                listen-on-v6 { any; };

Note: In the above example, DNSSEC is disabled, because Route 53 does not currently support DNSSEC.

4.    Test the syntax and restart the service by using the following commands:

sudo named-checkconf
sudo service bind9 restart
Note: Confirm that you have port 53 TCP/UDP open to the on-premises network in your DNS server’s security group.

5.    Configure your clients to use the BIND DNS server to resolve DNS. For instructions, check the documentation for your client’s operating system.

Did this article help?

Do you need billing or technical support?