How can I use and override reverse DNS rules with Route 53 Resolver?

Last updated: 2022-08-09

How do I use and override auto-defined reverse DNS rules with Amazon Route 53 Resolver?

Resolution

To use Resolver rules:

After "DNSHostname" is turned on, Resolver automatically creates auto-defined system rules that define how queries for selected domains are resolved by default. To override an auto-defined rule, create a forwarding rule (Resolver rule) for the domain name. Reverse DNS name resolution with Resolver depends on auto-defined rules, Resolver rules, and private hosted zone configurations.

The Amazon-provided DNS resolver evaluates the "most specific domain name" rule in the following priority order:

  1. Resolver rules – Rules that are manually configured for the domain name that the Resolver forwards to the target IP address.
  2. Rules for private hosted zones – For each private hosted zone that you associate with a VPC, Resolver creates a rule and associates it with the DNS resolver of the VPC. If you associate the private hosted zone with multiple VPCs, Resolver associates the rule with each VPC's DNS resolver.
  3. Auto-defined rules for reverse DNS – Resolver creates auto-defined rules for reverse DNS lookup and localhost-related domains when you set "enableDnsHostnames" for the associated VPC to "true."

Rules apply to the CIDR block ranges of a VPC and all connected VPCs with DNS support enabled. Resolver creates the most generic rules possible given the CIDR block range.

Example of how to override auto-defined rules

The resources in this example are as follows:

  • DNS query source VPC1 with CIDR 10.237.52.0/22
  • DNSHostname attribute = Enabled
  • DNSSupport attribute = Enabled
  • Connected VPC2 (connected through a transit gateway or VPC peering with DNS support enabled) with CIDR 10.104.2.0/24
  • VPC DNS resolver = Amazon-provided DNS resolver
  • Route 53 Resolver outbound endpoint with connectivity to 192.168.1.4/32 (DNS server located in another network)

The following auto-defined system rules were then created by Resolver:

Rules for private IP addresses Rules for VPC1 CIDR Rules for VPC2 CIDR (Peered VPC)
10.in-addr.arpa. 52.237.10.in-addr.arpa. 2.104.10.in-addr.arpa.
16.172.in-addr.arpa. through 31.172.in-addr.arpa 53.237.10.in-addr.arpa.
168.192.in-addr.arpa. 54.237.10.in-addr.arpa.
254.169.254.169.in-addr.arpa. 55.237.10.in-addr.arpa.

The DNS resolution requirements for the environment where queries are forwarded are:

Priority number CIDR for reverse DNS query Destination DNS server
1 10.237.53.0/24 192.168.1.4/32 (another network)
2 10.237.52.0/22 except 10.237.53.0/24 Amazon-provided DNS resolver
3 10.104.2.0/24 Private hosted zone
4 10.0.0.0/8 except all of the above 192.168.1.4/32 (another network)

The following steps achieve the preceding configuration:
Note: The source performing the DNS query is VPC1 and all requests are sent to the Amazon-provided DNS IP address.

  1. Because the IP address range 10.237.53.0/24 is part of VPC1 CIDR 10.237.52.0/22, there are auto-defined system rules that apply to this IP address range. Create a Resolver rule for domain 53.237.10.in-addr.arpa to override the auto-defined system rule for IP addresses in the 10.237.53.0/24 range. Set the target IP address to 192.168.1.4/32.
  2. For IP addresses in the 10.237.52.0/22 except 10.237.53.0/24 range, auto-defined system rules are available. The Amazon-provided DNS resolver resolves these DNS queries.
  3. For IP addresses in the 10.104.2.0/24 range, there's already an auto-defined most specific rule available for VPC2 CIDR. However, because rules for private hosted zones have higher priority over auto-defined rules, a private hosted zone for domain name 2.104.10.in-addr.arpa must be created.
  4. Create a Resolver rule for domain name 10.in-addr.arpa. This rule sends reverse DNS queries for IP addresses in the 10.0.0.0/8 range (except IP addresses in the 10.237.52.0/22 and 10.104.2.0/24 ranges) to a DNS server in another network with an IP address of 192.168.1.4/32. The rule also overrides the auto-defined system rule.

The following rules now meet the requirements and are considered by the Resolver based on priority:

  • Custom Resolver rules: 53.237.10.in-addr.arpa. and 10.in-addr.arpa.
  • Rule created for private hosted zone: 2.104.10.in-addr.arpa.

The reverse DNS query for IP addresses in the 10.0.0.0/8 range are resolved based on Resolver rule priority. The rule for the private hosted zone and the auto-defined rules based on the most specific domain name rule are as follows:

Priority number IP address range for reverse DNS query Destination DNS server
1 10.237.53.0/24 By 192.169.1.4/32 using "most specific Resolver rule"
2 10.237.52.0/22 except 10.27.53.0/24 By Amazon-provided DNS resolver using default rules ("most specific system rule")
3 10.104.2.0/24 By Amazon-provided DNS resolver using default rules created for the private hosted zone
4 10.0.0.0/8 except all of the above By 192.168.1.4/32 using Resolver rule (There are no other more specific rules available. Resolver rule with domain name 10.in-addr.arpa. has higher priority over auto-defined rules for the same domain name.)

You can also disable default reverse DNS rules with Route 53 Resolver. For more information, see Forwarding rules for reverse DNS queries in Resolver.