How do I configure a Route 53 Resolver outbound endpoint to resolve DNS records hosted on a remote network from resources in my VPC?
Last updated: 2020-09-15
How do I configure an Amazon Route 53 Resolver outbound endpoint to resolve DNS records hosted on a remote network from Amazon Elastic Compute Cloud (Amazon EC2) instances in my Amazon Virtual Private Cloud (Amazon VPC)?
A VPC created with Amazon VPC receives automatic DNS resolution from the Route 53 Resolver. EC2 instances in a VPC can send DNS queries to the Resolver using the reserved IP address at the base of the VPC CIDR IPv4 network range plus two. You can configure the Resolver to forward DNS queries for domain names from Amazon EC2 instances in your VPCs to DNS resolvers on your remote network.
To forward DNS queries, create each of the following:
- An outbound endpoint to send DNS queries to the remote network.
- A Resolver rule to specify the domain name of the DNS queries that the Resolver forwards to the remote DNS servers.
Complete the prerequisites
- Enable DNS Resolution in the DNS support attributes for the VPC where you're creating an outbound endpoint.
- If you're using a custom DNS server in the VPC: Confirm that it's configured to conditionally forward DNS queries for the applicable domain name to the Resolver using the reserved IP address at the base of the VPC IPv4 network range plus two.
- If you're not using a custom DNS server in the VPC: Confirm that the Domain name servers in the DHCP options set is set to AmazonProvidedDNS or the reserved IP address at the base of the VPC IPv4 network range plus two.
Configure an outbound endpoint
- Open the Route 53 console.
- In the navigation pane, choose Outbound endpoints.
- On the navigation bar, choose the Region for the VPC where you want to create the outbound endpoint.
- Choose Create outbound endpoint.
- On the Create outbound endpoint page, complete the General settings for outbound endpoint section. Choose a Security group that allows outbound TCP and UDP connectivity to the IP addresses and the ports that the resolvers use for DNS queries on your remote network.
- Complete the IP addresses section. You can let the Resolver choose IP addresses for you from the available IP addresses in the subnet, or specify IP addresses yourself. Choose between two (minimum) and six (maximum) IP addresses for DNS queries. It's a best practice to choose IP addresses in at least two different Availability Zones. For Subnet, choose subnets that have corresponding:
- Route tables that include routes to the IP addresses of the DNS resolvers on your remote network using AWS Direct Connect, a VPN connection, or a network address translation (NAT) gateway.
- Network access control lists (ACLs) that allow both UDP and TCP traffic to the IP addresses and the ports that the resolvers use for DNS queries on your remote network and from resolvers on destination port range 1024-65535.
Configure a Resolver rule
To create a new rule:
- Open the Route 53 console.
- Choose Rules from the Route 53 navigation pane.
- On the navigation bar, choose the Region where the newly created outbound endpoint exists.
- Choose Create rule.
- On the Create rule page, complete the Rule for outbound traffic sections. For Rule type, configure a Forward rule and associate it to the VPC where you'll forward DNS queries to your remote network from. For Outbound endpoint, choose the outbound endpoint that you just created.
Note: The VPC that you associate this rule to doesn't need to be the same VPC where you created the outbound endpoint.
- Complete the IP addresses section. For IP address, specify the IP addresses of the DNS resolvers on your remote network. For Port, specify the ports that these resolvers use for DNS queries.
Note: Resolver forwards any DNS query that matches this rule and originates from a VPC associated to this rule to the referenced outbound endpoint. As a result, these queries are forwarded to the target IP addresses you specify here.
- (Optional) Complete the Tags section.
- Choose Submit.
To use an existing rule:
- Do you already have a rule for the same domain in the same Region as the VPC in your account? Then associate that rule to your VPC instead of creating a new rule. Select the rule from the rule dashboard and associate it to the applicable VPCs in the Region.
- Do you already have a rule for the same domain in the same Region as your VPC but in a different account? Then use the Resource Access Manager to share the rule from the remote account to your account. When you share a rule, you also share the corresponding outbound endpoint. After you share the rule with your account, select the rule from the rule dashboard and associate it to the VPCs in your account.
Note: Network connectivity isn't required to forward DNS queries from a VPC associated to a Resolver rule to the VPC where the outbound endpoint is located. This is true whether or not the VPCs are in the same account.
Test your configuration
Perform a DNS resolution from one of the Amazon EC2 instances in your VPC:
- For Linux or macOS: dig <record name> <record type>
- For Windows: nslookup -type=<record type> <record name>