How do I resolve resource records in my private hosted zone using Client VPN?
Last updated: 2020-04-27
I'm creating an AWS Client VPN endpoint. I need to allow end users (clients connected to Client VPN) to query resource records hosted in my Amazon Route 53 private hosted zone. How can I do this?
To allow end users to query records in a private hosted zone using Client VPN:
- Confirm that you've enabled "DNS resolution" and "DNS hostnames" in your Amazon Virtual Private Cloud (Amazon VPC). These settings must be enabled to access private hosted zones. For more information, see Viewing and updating DNS support for your VPC.
- Create a Client VPN endpoint, if you haven't already. Be sure to configure the "DNS Server IP address" parameter with the DNS server IP address that can be reached by the end users for the DNS resolution queries. Or, you can modify an existing Client VPN endpoint to update the DNS server settings.
Depending on your server configuration and the values that you specify for the "DNS Server IP address" parameter, the resolution of the private hosted zone domain varies:
- With the Amazon DNS server (VPC IPv4 network range plus two) – End users can resolve the resource records of the private hosted zone associated with the VPC.
- With a custom DNS server located in the same VPC as the Client VPN endpoint's associated VPC – You can configure the custom DNS server to serve DNS queries as required. To resolve the resource records, configure the custom DNS server as a forwarder to forward DNS queries for the private hosted domain to the default VPC DNS resolver. To use the custom DNS server for all resources in the VPC, be sure to configure the DHCP options accordingly.
Note: The custom DNS server might also reside in a peered VPC. In that case, the custom DNS server configuration is the same as the above. Be sure to associate your private hosted zone to both of the VPCs.
- With a custom DNS server located on-premises, and the "DNS Server IP address" parameter in the Client VPN disabled/blank – The DNS queries for the private hosted zone domain are forwarded to the Route 53 inbound resolver. You must create conditional forwarding rules in the on-premises custom DNS server to forward queries to the IP address of the Route 53 inbound resolver in the VPC over AWS Direct Connect or AWS Site-to-Site VPN.
Note: If the client device doesn't have a route to the local DNS server when the Client VPN connection is established, then the DNS queries fail. In this case, you must manually add a preferred static route to the custom on-premises DNS server on the client device’s route table.
- With the "DNS Server IP address" parameter disabled – The client device uses the local DNS resolver to resolve DNS queries. If your local resolver is set to a public DNS resolver, then you can't resolve records in private hosted zones.
Note: The following pertains to each of the four types of DNS server configurations:
- If full-tunnel mode is enabled, then a route for all traffic through the VPN tunnel is added to the client device's route table. End users can connect to the internet if the authorization rules and respective routes are added to the Client VPN endpoint's associated subnet route table.
- If split-tunnel mode is enabled, then the routes in the Client VPN endpoint's route table are added to the client device's route table.