How do I mount an Amazon Elastic File System using a DNS name and a custom DNS server?

Last updated: 2020-04-07

I have a custom Domain Name System (DNS) server. How do I mount an Amazon Elastic File System (Amazon EFS) using a DNS name?

Short Description

You can mount an Amazon EFS file system on an Amazon Elastic Compute Cloud (Amazon EC2) instance using a DNS name for the file system. To do so, the following must be true:

  • The connecting EC2 instance must be inside a virtual private cloud (VPC), and it must be configured to use the custom DNS server. For more information, see DHCP Options Sets.
  • The DNS settings DNS resolution and DNS hostnames are enabled in your custom VPC. For more information, see Updating DNS Support for Your VPC.

Note: An Amazon EFS file system can be mounted only on Linux EC2 instances.

Resolution

Using a Windows DNS server

1.    From the VPC console, choose Your VPCs from the left navigation pane, choose the desired VPC, and then choose the Summary tab. Note the IPv4 CIDR address.

2.    In EC2-VPC, the Amazon DNS server is located at the base of your VPC network range, plus 2 (for example, 172.31.0.2 for CIDR 172.31.0.0/16). For more information, see Amazon DNS Server.

3.    Add a conditional forwarder in your Windows DNS server using the dnscmd command, the /zoneadd and /forwarder parameters, and the IP address from step one. In this example, the IP address is 172.31.0.2, which is the second valid IPv4 address for a subnet with an address of 172.31.0.0/16.

C:\Windows\system32> dnscmd  /ZoneAdd amazonaws.com /forwarder 172.31.0.2

The conditional forwarder handles the DNS requests from the amazonaws.com domain to your Windows VPC DNS server. This allows DNS queries from EC2 instances to be forwarded to the Amazon DNS server that can translate the Amazon EFS DNS name. Or, you can set up zone forwarding on your custom DNS server, however, be aware of cross-Availability Zone traffic.

4.    Use the nslookup command and your EFS file system ID to validate that the Windows DNS server is resolving the DNS queries. Run the following command in your Windows DNS server.

C:\Windows\system32>nslookup file-system-id.efs.aws-region.amazonaws.com

Note: To find the Amazon EFS file system ID, open the Amazon EFS console. Then, choose File systems from the left navigation pane.

Using dnsmasq - Use with Amazon Linux AMI and Amazon Linux 2

Note: Use the following steps for all EC2 instances that need to connect to Amazon EFS using a custom DNS server.

1.    Install the dnsmasq server.

sudo yum install -y dnsmasq

2.    Create a dedicated system user to run dnsmasq.

sudo groupadd -r dnsmasq
sudo useradd -r -g dnsmasq dnsmasq

Note: dnsmasq typically runs as the root user, but drops root privileges after startup by changing to another user (by default, the user is "nobody").

3.    (Optional) To create a backup of the previous configuration, use the mv command to create a copy of the dnsmasq.conf file.

sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig

4.    Open the configuration file using a text editor (for example, vim).

sudo vim /etc/dnsmasq.conf

5.    Edit the /etc/dnsmasq.conf file so that it is similar to the following.

listen-address=127.0.0.1
port=53
bind-interfaces
user=dnsmasq
group=dnsmasq
pid-file=/var/run/dnsmasq.pid
server=/amazonaws.com/169.254.169.253

# Name resolution options
resolv-file=/etc/resolv.dnsmasq
cache-size=500
neg-ttl=60
domain-needed
bogus-priv

Note: You can use either the Amazon DNS server's IP address, 169.254.169.253, which is common for all VPCs, or you can use the DNS server's IP address based on your VPC's CIDR block.

6.    Create the /etc/resolv.dnsmasq file. Then, set the custom domain-name-servers that you have specified on DHCP Options Sets.

sudo bash -c "echo 'nameserver x.x.x.x' >> /etc/resolv.dnsmasq"

Perform the preceding command for all the DNS servers that are specified in the DHCP Option Sets. In the preceding example, x.x.x.x is one of the DNS mentioned in the DHCP Options Set.

7.    Verify the DNS server names.

# cat /etc/resolv.dnsmasq
nameserver x.x.x.x   
nameserver y.y.y.y

8.    Enter the DNS server name 127.0.0.1 in the resolv.conf file.

# cat /etc/resolv.conf
options timeout:2 attempts:5
; generated by /usr/sbin/dhclient-script
search ec2.internal <on-prem-domain-name i.e example.com>
nameserver 127.0.0.1

9.    Modify dhclient.conf to retain customized nameserver entries.

sudo bash -c "echo 'supersede domain-name-servers 127.0.0.1;' >> /etc/dhcp/dhclient.conf"

Note: The preceding step must be completed, or the dhclient might override the values in resolv.conf on reboot of the instance. Use 127.0.0.1 (dnsmasq) as the DNS resolver. For more information, see My private EC2 instance is running Amazon Linux, Ubuntu, or RHEL. How do I assign a static DNS server to the EC2 instance that persists during reboot?

10.    Verify the changes that you made in step 8.

# cat /etc/dhcp/dhclient.conf
timeout 300;
supersede domain-name-servers 127.0.0.1;

Note: If you want to have a failback entry for DNS in resolv.conf, append the failback DNS servers address after 127.0.0.1 as shown in the following example.

# cat /etc/dhcp/dhclient.conf
timeout 300;
supersede domain-name-servers 127.0.0.1, x.x.x.x, y.y.y.y;

11.    Restart the dnsmasq server. Then, set the service to start up on boot using the following commands.

Amazon Linux AMI

sudo service dnsmasq restart
sudo chkconfig dnsmasq on

Amazon Linux 2

sudo systemctl restart dnsmasq.service
sudo systemctl enable dnsmasq.service

12.    Verify that dnsmasq is working correctly using the dig command.

dig amazonaws.com
dig example.com

If resolution occurs as expected, then the dnsmasq cache is working correctly.

13.    Run the dhclient command or reboot your instance to apply the change.

sudo dhclient

-or-

sudo reboot

14.    Perform DNS queries using dig or nslookup to verify that your instance is using the DNS cache.

dig amazonaws.com (AWS Specific Domain)
dig example.com (Custom domain)

For more information, see Additional Mounting Considerations.


Did this article help you?

Anything we could improve?


Need more help?