How can I use and override reverse DNS rules with Route 53 Resolver?
Last updated: 2020-07-02
How can I use and override auto-defined reverse DNS rules with Amazon Route 53 Resolver?
To use Resolver rules:
- You must enable the DNS resolution and DNS hostnames attributes of the virtual private cloud (VPC).
- DNS queries must be sent to the Amazon-provided DNS resolver of that VPC.
After "DNSHostname" is enabled, Resolver automatically creates auto-defined system rules that define how queries for selected domains are resolved by default. To override an auto-defined rule, create a forwarding rule (Resolver rule) for the domain name. Reverse DNS name resolution with Resolver depends on auto-defined rules, Resolver rules, and private hosted zone configurations.
The Amazon-provided DNS resolver evaluates the "most specific domain name" rule in the following priority order:
- Resolver rules – Rules that are manually configured for the domain name that the Resolver forwards to the target IP address.
- Rules for private hosted zones – For each private hosted zone that you associate with a VPC, Resolver creates a rule and associates it with the DNS resolver of the VPC. If you associate the private hosted zone with multiple VPCs, Resolver associates the rule with each VPC's DNS resolver.
- Auto-defined rules for reverse DNS – Resolver creates auto-defined rules for reverse DNS lookup and localhost-related domains when you set "enableDnsHostnames" for the associated VPC to "true."
Rules apply to the CIDR block ranges of a VPC and all connected VPCs with DNS support enabled. Resolver creates the most generic rules possible given the CIDR block range.
Example of how to override auto-defined rules
The resources in this example are as follows:
- DNS query source VPC1 with CIDR 10.237.52.0/22
- DNSHostname attribute = Enabled
- DNSSupport attribute = Enabled
- Connected VPC2 (connected through a transit gateway or VPC peering with DNS support enabled) with CIDR 10.104.2.0/24
- VPC DNS resolver = Amazon-provided DNS resolver
- Route 53 Resolver outbound endpoint with connectivity to 192.168.1.4/32 (DNS server located in another network)
The following auto-defined system rules were then created by Resolver:
|Rules for private IP addresses||Rules for VPC1 CIDR||Rules for VPC2 CIDR (Peered VPC)|
|16.172.in-addr.arpa. through 31.172.in-addr.arpa||52.237.10.in-addr.arpa.|
The DNS resolution requirements for the environment where queries are forwarded are:
|Priority number||CIDR for reverse DNS query||Destination DNS server|
|1||10.237.53.0/24||192.168.1.4/32 (another network)|
|2||10.237.52.0/22 except 10.237.53.0/24||Amazon-provided DNS resolver|
|3||10.104.2.0/24||Private hosted zone|
|4||10.0.0.0/8 except all of the above||192.168.1.4/32 (another network)|
The following steps achieve the preceding configuration:
Note: The source performing the DNS query is VPC1 and all requests are sent to the Amazon-provided DNS IP address.
- Because the IP address range 10.237.53.0/24 is part of VPC1 CIDR 10.237.52.0/22, there are auto-defined system rules that apply to this IP address range. Create a Resolver rule for domain 53.237.10.in-addr.arpa. to override the auto-defined system rule for IP addresses in the 10.237.53.0/24 range. Set the target IP address to 192.168.1.4/32.
- For IP addresses in the 10.237.52.0/22 except 10.237.53.0/24 range, auto-defined system rules are available. The Amazon-provided DNS resolver resolves these DNS queries.
- For IP addresses in the 10.104.2.0/24 range, there's already an auto-defined most specific rule available for VPC2 CIDR. However, because rules for private hosted zones have higher priority over auto-defined rules, a private hosted zone for domain name 2.104.10.in-addr.arpa must be created.
- Create a Resolver rule for domain name 10.in-addr.arpa. This rule sends reverse DNS queries for IP addresses in the 10.0.0.0/8 range (except IP addresses in the 10.237.52.0/22 and 10.104.2.0/24 ranges) to a DNS server in another network with an IP address of 192.168.1.4/32. The rule also overrides the auto-defined system rule.
The following rules now meet the requirements and are considered by the Resolver based on priority:
- Custom Resolver rules: 53.237.10.in-addr.arpa. and 10.in-addr.arpa.
- Rule created for private hosted zone: 2.104.10.in-addr.arpa.
The reverse DNS query for IP addresses in the 10.0.0.0/8 range are resolved based on Resolver rule priority. The rule for the private hosted zone and the auto-defined rules based on the most specific domain name rule are as follows:
|Priority number||IP address range for reverse DNS query||Destination DNS server|
|1||10.237.53.0/24||By 188.8.131.52/32 using "most specific Resolver rule"|
|2||10.237.52.0/22 except 10.27.53.0/24||By Amazon-provided DNS resolver using default rules ("most specific system rule")|
|3||10.104.2.0/24||By Amazon-provided DNS resolver using default rules created for the private hosted zone|
|4||10.0.0.0/8 except all of the above||By 192.168.1.4/32 using Resolver rule (There are no other more specific rules available. Resolver rule with domain name 10.in-addr.arpa. has higher priority over auto-defined rules for the same domain name.)|