Resolving Private DNS Queries using AWS VPC Resolver

10 / Nov / 2016 by Amit Naudiyal 0 comments

AWS offers Route53, as a part of Amazon’s cloud computing platform, Amazon Web Services (AWS). It is a highly scalable web service that can be used as internal DNS hostings. With Route53 you can host multiple internal domain names within your VPC (or group of VPCs) which are visible and accessible to the internal hosts only and blocked for external traffic. This gives us a feasibility of calling our internal resources, ie. Application servers, Database servers, Load balancers with a friendly name according to our choice.

route53_and_unbound

The resolver for a VPC always sits at +2 address. That means if the VPC is 172.16.0.0/16, the DNS resolver will be at 172.16.0.2. That also means that any machine on any subnet within this VPC will be able to talk to this resolver for internal (private zones) as well as external (internet) dns queries.

aws_with_resolver

There are a few use cases for using the VPC DNS from outside of the VPC, particularly when connecting things into a VPC using a VPN. Here is when things get a little tricky, as the VPC Resolver is set up in a way that it won’t answer queries from outside its own network.

dc_noconnection-toREsolver

Here is when forwarder comes into picture. You could place a forwarder in the VPC in such a way that outside network (on VPN) uses this forwarder for DNS resolutions and connect to the VPC Resolver for all internal DNS queries.

dns_with_unbound

There are many ways to configure the forwarder. Here in this blog, we will see how Unbound can be used to serve our purpose. Unbound is a recursive caching DNS server which will be used as a forwarder to forward all the queries for a specified domain to the VPC resolver.

Once Unbound is installed, following configurations will be used in unbound.conf.

unbound_installation2

interface: The interface on which unbound will run and what clients will use as their primary nameserver.
access-control: IP or subnets which are allowed to make a request for query forwarding.
forward-zone name: The domain queries that needs to be forwarded. ‘ * ’ can be used to forward all domain queries.
forward-zone addr: VPC resolver address for the VPC.

You also need to ensure that the VPN clients are using the new forwarder as their primary nameserver. This way you can utilize VPC resolver to resolve internal DNS queries on any host within the VPC as well as on any host in extended data center. Similarly, you can utilize Unbound to forward all requests originating from AWS to the extended data center.

FOUND THIS USEFUL? SHARE IT

Leave a comment -