AWS Certified Advanced Networking - Specialty (ANS-C01)

Topic: DNS for Public, Private, and Hybrid Requirements

[!IMPORTANT] This cram sheet focuses on Domain 1.2: Designing DNS solutions. Mastery of Route 53 Resolver endpoints and Private Hosted Zone (PHZ) behavior is critical for the specialty exam.

Topic Weighting

Exam Domain: Domain 1: Network Design
Approximate Weighting: 12% - 15% of the total exam.
Complexity: High (Hybrid DNS logic is a frequent source of tricky scenario questions).

Key Concepts Summary

1. Hosted Zones

Public Hosted Zone: Contains records for internet-facing domains. Automatically creates NS and SOA records.
Private Hosted Zone (PHZ): Holds records for non-internet internal resources. Requires enableDnsHostnames and enableDnsSupport set to true in the VPC.
VPC Association: A PHZ must be associated with specific VPC IDs to be resolvable within those VPCs.

2. Route 53 Resolver Endpoints

Inbound Endpoints: Allow on-premises DNS servers to forward queries to Route 53 (On-prem $\rightarrow AWS).
Outbound Endpoints: Allow Route 53 to forward queries for specific domains to on-premises DNS (AWS \rightarrow$ On-prem).
Forwarding Rules: Attached to Outbound Endpoints to define which domain queries (e.g., corp.internal) go to which on-prem IP addresses.

3. DNSSEC

Provides data origin authentication and data integrity for DNS queries. Supported for both public and private zones in Route 53.

Visual Anchors

Hybrid DNS Resolution Flow

Loading Diagram...

DNS Query Path Diagram

\begin{tikzpicture}[node distance=2cm, every node/.style={draw, rectangle, align=center, fill=blue!10}] \node (client) {Client \ (VPC)}; \node (resolver) [right of=client, xshift=2cm] {R53 Resolver \ (169.254.169.253)}; \node (phz) [above right of=resolver, xshift=2cm] {Private \ Hosted Zone}; \node (public) [below right of=resolver, xshift=2cm] {Public \ Internet}; \node (rules) [right of=resolver, xshift=3cm] {Forwarding \ Rules};

code

\draw[->, thick] (client) -- (resolver) node[midway, above] {Query};
\draw[->] (resolver) -- (phz) node[midway, sloped, above] {1. Match PHZ};
\draw[->] (resolver) -- (rules) node[midway, above] {2. Match Rules};
\draw[->] (resolver) -- (public) node[midway, sloped, below] {3. Recursive};

\end{tikzpicture}

Common Pitfalls

Security Groups: Forgetting to allow UDP/TCP port 53 inbound on the Inbound Endpoint from the on-prem CIDR.
The ".2" Address: Not realizing that Route 53 Resolver is accessible at the VPC CIDR + 2 address (or 169.254.169.253), which is where on-prem servers should point their forwarders.
Circular Dependencies: Creating a rule that forwards a domain to an IP that then tries to resolve back through the same rule.
Overlap: If a PHZ and a Forwarding Rule overlap (e.g., test.example.com in PHZ and example.com in Rule), the most specific match (PHZ) wins.

Mnemonics / Memory Triggers

I.O. (In-Out):
- Inbound = Into AWS (from On-prem).
- Outbound = Out of AWS (to On-prem).
PHZ Requirements: Think "S.H." $\rightarrow$ Support (DnsSupport) and Hostnames (DnsHostnames).

Formula / Equation Sheet

Feature	Rule / Constraint
Resolver IP	VPC Network Address + 2
Alias Records	Point to AWS resources (ELB, S3). No charge for Route 53 queries to Alias records.
CNAME	Cannot be created for the Zone Apex (e.g., `example.com`).
Forwarding Rules	Can be shared across accounts via AWS Resource Access Manager (RAM).
Endpoint Limit	Max of 6 IP addresses per endpoint for high availability across AZs.

Practice Set

Scenario: You need on-prem servers to resolve names in an AWS PHZ. Which Route 53 component is required?
- Answer: Inbound Resolver Endpoint.
Scenario: An EC2 instance cannot resolve internal.corp.com which is hosted on-prem. You have an Outbound Endpoint. What is likely missing?
- Answer: A Forwarding Rule for corp.com associated with the VPC and the Outbound Endpoint.
Scenario: A developer wants to point example.com (root) to an ALB. Should they use CNAME or Alias?
- Answer: Alias. CNAMEs cannot exist at the apex.
Scenario: You are using AWS RAM to share DNS rules. Does the consumer account need its own endpoints?
- Answer: No, they use the endpoints in the owner account via the shared rule.
Scenario: You have a PHZ for dev.local. You also have an Outbound Rule for local. An instance queries app.dev.local. Where does the query go?
- Answer: The Private Hosted Zone (Specific match priority).

Fact Recall Blanks

To enable Private Hosted Zones, the VPC attributes ________ and ________ must be set to true. (Answer: enableDnsSupport, enableDnsHostnames)
DNS queries use both ____ and ____ protocols on port ____. (Answer: UDP, TCP, 53)
The service used to share Route 53 Resolver Rules across AWS Accounts is ________. (Answer: AWS RAM)
Route 53 Resolver endpoints are elastic network interfaces (ENIs) that reside in ________. (Answer: Subnets/VPCs)

Worked Examples

Example 1: Configuring Hybrid DNS (AWS to On-Prem)

Goal: Enable instances in VPC A (10.0.0.0/16) to resolve myserver.datacenter.internal (On-prem IP: 172.16.1.10).

Create Outbound Endpoint: Select VPC A. Choose at least two subnets in different AZs. Assign a Security Group allowing outbound 53 to the on-prem DNS IP.
Create Forwarding Rule:
- Name: ToOnPrem
- Rule Type: Forward
- Domain Name: datacenter.internal
- Target IPs: Point to the on-premises DNS server IPs (e.g., 172.16.1.100, 172.16.1.101).
Associate Rule: Associate the rule with VPC A.
Verification: From an EC2 instance, run dig myserver.datacenter.internal. The query hits the R53 Resolver, matches the rule, exits the Outbound ENI, and travels via VPN/Direct Connect to on-prem.

Goal: Account A owns prod.aws PHZ. VPCs in Account B need to resolve these records.

Authorization: Account A must authorize the association of VPC B with the PHZ. This is done via the CLI (create-vpc-association-authorization).
Association: Account B then accepts the association using associate-vpc-with-hosted-zone.
Result: Account B's VPC can now resolve names in Account A's PHZ without needing a Resolver Endpoint for this specific internal traffic.

AWS ANS-C01 Exam Cram: Route 53, Hybrid, and Private DNS