How can I resolve Route 53 private hosted zones from an on-premises network via an Ubuntu instance?

Apr 01, 2017

Issue

How can I resolve Amazon Route 53 private hosted zones from an on-premises network via an Ubuntu instance?

You can resolve domain names in private hosted zones from your on-premises network by configuring a DNS forwarder. The following instructions assume that your on-premises network is configured with a VPN or AWS Direct Connect to an AWS VPC, and a Route 53 private hosted zone is associated with that VPC.

Configure a DNS forwarder by completing the following steps:

1. Ensure that DNS resolution and DNS hostnames are enabled on the target VPC.
Note: DNS hostnames are enabled for default VPCs and VPCs that you create using the VPC wizard in the Amazon VPC console.

2. Install BIND DNS server on your instance by using the following command:

      sudo apt-get install bind9 bind9utils bind9-doc

3. Configure the BIND server in a forward-only configuration by modifying the named.conf.options file. By default, BIND configuration files are kept at /etc/bind.

a. Create an access control list (ACL) for the BIND server, replacing the IP address in the following example with a list of IP addresses you trust:

    acl "trusted" {

              172.16.0.0/16

              localhost;

              localnets;

  };

b. Configure BIND to forward all DNS requests to the Amazon VPC name server. The VPC name server is always the second available address in the VPC. For example, if the VPC CIDR is 10.10.0.0/16, then the VPC name server has the IP address of 10.10.0.2, as in the following example:

options {

                directory "/var/cache/bind";

                recursion yes;

                allow-query { trusted; };

                 forwarders {

                            10.10.0.2;

                };



                forward only;

                dnssec-enable no;

                dnssec-validation no;

                dnssec-lookaside auto;

                auth-nxdomain no;

                listen-on-v6 { any; };

};

Note: In the above example, DNSSEC is disabled, because Route 53 does not support DNSSEC at this time.

4. Test the syntax and restart the service by using the following commands:

    sudo named-checkconf 

    sudo service bind9 restart

Note: Ensure you have port 53 TCP/UDP open to the on-premises network in your DNS server’s security group.
Configure your clients to use the BIND DNS server to resolve DNS. For instructions, check the documentation for your client’s operating system.

Keywords

private hosted zone, name resolution, BIND, DNS forwarder

Related Information

Using DNS with Your VPC
Creating a Private Hosted Zone

GrokTechie

Discussion about this post