How do I configure a Route 53 Resolver inbound endpoint to resolve DNS records in my private hosted zone from my remote network?

Last updated: 2019-10-11

How do I configure an Amazon Route 53 Resolver inbound endpoint to resolve records in my private hosted zone from my remote network?

Short Description

A VPC created with Amazon Virtual Private Cloud (Amazon VPC) receives automatic DNS resolution from the Route 53 Resolver. Amazon Elastic Compute Cloud (Amazon EC2) instances in a VPC can send DNS queries to the Resolver using the reserved IP address at the base of the VPC CIDR IPv4 network range plus two. If there’s network connectivity between the remote network and VPC, DNS resolvers on a remote network can forward DNS queries to the Resolver in a VPC. This connectivity is accomplished using AWS Direct Connect or a VPN connection. However, the Resolver doesn’t accept DNS queries from IP addresses outside of the VPC network range. To resolve this, you can create an inbound endpoint in your VPC. DNS queries received by an inbound endpoint are forwarded to Resolver. These queries are processed the same as queries originating from within the VPC itself.

Resolution

Complete the prerequisites

First, enable DNS hostnames and DNS resolution in the DNS support attributes for the VPC where you're creating an inbound endpoint.

Then, associate the applicable private hosted zone with the VPC where you want to create the inbound endpoint.

If the private hosted zone and the VPC are in the same account:

  1. Open the Route 53 console.
  2. In the navigation pane, choose Hosted Zones.
  3. Choose the private hosted zone that contains the records to be queried.
  4. In the search bar, search for your VPC and then choose Associate New VPC.

If the private hosted zone and the VPC are in different accounts, use the AWS Command Line Interface (AWS CLI) to perform cross account association.

Configure an inbound endpoint

  1. Open the Route 53 console.
  2. In the navigation pane, choose Inbound endpoints.
  3. On the navigation bar, choose the Region for the VPC where you want to create the inbound endpoint.
  4. Choose Create inbound endpoint.
  5. On the Create inbound endpoint page, complete the General settings for inbound endpoint section. Choose a Security group for this endpoint that allows inbound UDP and TCP traffic from the remote network on destination port 53.
  6. Complete the IP addresses section. You can let Resolver choose IP addresses for you from the available IP addresses in the subnet, or specify IP addresses yourself. Choose between two (minimum) and six (maximum) IP addresses for DNS queries. It's a best practice to choose IP addresses in at least two different Availability Zones. For Subnet, choose subnets that have corresponding:
    • Route tables that include routes to the IP addresses of the DNS resolvers on your remote network using AWS Direct Connect or a VPN connection.
    • Network access control lists (ACLs) that allow both UDP and TCP traffic from the remote network on destination port 53 and to the remote network on the destination port range of 1024-65535. Note that depending on your client type, you might use a different range for your network ACLs.
  7. (Optional) Complete the Tags section.
  8. Choose Submit.

Test your configuration

Before testing, confirm that you've configured:

  • The DNS server on the remote network to conditionally forward DNS queries for the private hosted zone’s domain name to the IP addresses of the inbound endpoint.
  • The remote DNS server to forward DNS queries for the domain name instead of delegating authority of the domain name to the inbound endpoint.
    Note: Inbound endpoints support only recursive DNS queries. Iterative DNS queries sent to the inbound endpoint timeout.

Then, perform DNS resolution for one of the records in the private hosted zone from a client on the remote network using the following commands:

  • For Linux or MacOS: dig <record name> <record type>
  • For Windows: nslookup <record name> <record type>