How can I use and override reverse DNS rules with Route 53 Resolver?

Last updated: 2020-07-02

How can I use and override auto-defined reverse DNS rules with Amazon Route 53 Resolver?

Resolution

To use Resolver rules:

After "DNSHostname" is enabled, Resolver automatically creates auto-defined system rules that define how queries for selected domains are resolved by default. To override an auto-defined rule, create a forwarding rule (Resolver rule) for the domain name. Reverse DNS name resolution with Resolver depends on auto-defined rules, Resolver rules, and private hosted zone configurations.

The Amazon-provided DNS resolver evaluates the "most specific domain name" rule in the following priority order:

  • Resolver rules – Rules that are manually configured for the domain name that the Resolver forwards to the target IP address.
  • Rules for private hosted zones – For each private hosted zone that you associate with a VPC, Resolver creates a rule and associates it with the DNS resolver of the VPC. If you associate the private hosted zone with multiple VPCs, Resolver associates the rule with each VPC's DNS resolver.
  • Auto-defined rules for reverse DNS – Resolver creates auto-defined rules for reverse DNS lookup and localhost-related domains when you set "enableDnsHostnames" for the associated VPC to "true."

Rules apply to the CIDR block ranges of a VPC and all connected VPCs with DNS support enabled. Resolver creates the most generic rules possible given the CIDR block range.

Example of how to override auto-defined rules

The resources in this example are as follows:

  • DNS query source VPC1 with CIDR 10.237.52.0/22
  • DNSHostname attribute = Enabled
  • DNSSupport attribute = Enabled
  • Connected VPC2 (connected through a transit gateway or VPC peering with DNS support enabled) with CIDR 10.104.2.0/24
  • VPC DNS resolver = Amazon-provided DNS resolver
  • Route 53 Resolver outbound endpoint with connectivity to 192.168.1.4/32 (DNS server located in another network)

The following auto-defined system rules were then created by Resolver:

Rules for private IP addresses Rules for VPC1 CIDR Rules for VPC2 CIDR (Peered VPC)
10.in-addr.arpa. 52.237.10.in-addr.arpa. 2.104.10.in-addr.arpa.
16.172.in-addr.arpa. through 31.172.in-addr.arpa 52.237.10.in-addr.arpa.  
168.192.in-addr.arpa. 52.237.10.in-addr.arpa.  
254.169.254.169.in-addr.arpa. 52.237.10.in-addr.arpa.  

The DNS resolution requirements for the environment where queries are forwarded are:

Priority number CIDR for reverse DNS query Destination DNS server
1 10.237.53.0/24 192.168.1.4/32 (another network)
2 10.237.52.0/22 except 10.237.53.0/24 Amazon-provided DNS resolver
3 10.104.2.0/24 Private hosted zone
4 10.0.0.0/8 except all of the above 192.168.1.4/32 (another network)

The following steps achieve the preceding configuration:
Note: The source performing the DNS query is VPC1 and all requests are sent to the Amazon-provided DNS IP address.

  1. Because the IP address range 10.237.53.0/24 is part of VPC1 CIDR 10.237.52.0/22, there are auto-defined system rules that apply to this IP address range. Create a Resolver rule for domain 53.237.10.in-addr.arpa. to override the auto-defined system rule for IP addresses in the 10.237.53.0/24 range. Set the target IP address to 192.168.1.4/32.
  2. For IP addresses in the 10.237.52.0/22 except 10.237.53.0/24 range, auto-defined system rules are available. The Amazon-provided DNS resolver resolves these DNS queries.
  3. For IP addresses in the 10.104.2.0/24 range, there's already an auto-defined most specific rule available for VPC2 CIDR. However, because rules for private hosted zones have higher priority over auto-defined rules, a private hosted zone for domain name 2.104.10.in-addr.arpa must be created.
  4. Create a Resolver rule for domain name 10.in-addr.arpa. This rule sends reverse DNS queries for IP addresses in the 10.0.0.0/8 range (except IP addresses in the 10.237.52.0/22 and 10.104.2.0/24 ranges) to a DNS server in another network with an IP address of 192.168.1.4/32. The rule also overrides the auto-defined system rule.

The following rules now meet the requirements and are considered by the Resolver based on priority:

  • Custom Resolver rules: 53.237.10.in-addr.arpa. and 10.in-addr.arpa.
  • Rule created for private hosted zone: 2.104.10.in-addr.arpa.

The reverse DNS query for IP addresses in the 10.0.0.0/8 range are resolved based on Resolver rule priority. The rule for the private hosted zone and the auto-defined rules based on the most specific domain name rule are as follows:

Priority number IP address range for reverse DNS query Destination DNS server
1 10.237.53.0/24 By 192.169.1.4/32 using "most specific Resolver rule"
2 10.237.52.0/22 except 10.27.53.0/24 By Amazon-provided DNS resolver using default rules ("most specific system rule")
3 10.104.2.0/24 By Amazon-provided DNS resolver using default rules created for the private hosted zone
4 10.0.0.0/8 except all of the above By 192.168.1.4/32 using Resolver rule (There are no other more specific rules available. Resolver rule with domain name 10.in-addr.arpa. has higher priority over auto-defined rules for the same domain name.)