Design DNS Solutions for Public, Private, and Hybrid Architectures
Design DNS solutions that meet public, private, and hybrid requirements
Designing AWS DNS Solutions: Public, Private, and Hybrid Architectures
This guide covers the design and implementation of DNS strategies within AWS, focusing on Amazon Route 53, hybrid connectivity via Resolver Endpoints, and the nuances of public vs. private name resolution for the ANS-C01 exam.
Learning Objectives
After studying this guide, you should be able to:
- Differentiate between Public and Private Hosted Zones.
- Design a Hybrid DNS architecture using Route 53 Resolver Inbound and Outbound Endpoints.
- Implement Conditional Forwarding Rules for cross-environment resolution.
- Configure DNSSEC and logging for security and compliance.
- Use Alias records to optimize AWS service integration.
Key Terms & Glossary
- Public Hosted Zone (PHZ): A container that holds records for a domain reachable via the public internet.
- Private Hosted Zone (VPC PHZ): A container for records accessible only within one or more VPCs specified during configuration.
- Route 53 Resolver: A regional service that provides recursive DNS lookups for VPCs and facilitates hybrid DNS via endpoints.
- Inbound Endpoint: Allows on-premises DNS servers to forward queries to Route 53.
- Outbound Endpoint: Allows Route 53 to forward queries for specific domains to on-premises DNS servers.
- Forwarding Rule: A logic set that tells the Outbound Endpoint which domain queries to send to which on-premises IP addresses.
The "Big Idea"
In a modern enterprise, DNS is the "control plane" for connectivity. In AWS, DNS is not just about translating names to IPs; it is about bridging the gap between isolated VPCs and legacy on-premises data centers. The Route 53 Resolver acts as the central hub, ensuring that whether a resource lives in a local rack or an AWS region, it remains discoverable through a unified naming convention.
Formula / Concept Box
| Feature | Public Hosted Zone | Private Hosted Zone |
|---|---|---|
| Visibility | Internet-wide | VPC-internal only |
| Split-Horizon | Supported (can have same name as Private) | Supported |
| Record Pricing | Standard R53 Pricing | Standard R53 Pricing |
| Association | Domain Registration/NS Delegation | VPC ID(s) |
| AWS Service Integration | Alias Records (Public ELB, S3) | Alias Records (Internal ELB, VPC Endpoints) |
Hierarchical Outline
- Route 53 Hosted Zones
- Public Zones: Internet-facing; requires NS records at a registrar.
- Private Zones: Internal; requires
enableDnsHostnamesandenableDnsSupportset totruein VPC settings.
- Hybrid DNS Connectivity
- Inbound Endpoints: Interfaces for external queries into AWS; requires at least 2 IP addresses in different AZs.
- Outbound Endpoints: Interfaces for AWS queries to external targets; uses Forwarding Rules.
- DNS Security & Operations
- DNSSEC: Protects against DNS spoofing; requires signing at the zone level.
- Query Logging: Captures logs for every DNS query; integrates with CloudWatch Logs or S3.
Visual Anchors
Hybrid DNS Resolution Flow
Private Hosted Zone Logic
This diagram visualizes how a single Private Hosted Zone (PHZ) can serve multiple VPCs across different accounts or regions using VPC association.
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, minimum height=1cm, text centered}] \node (phz) [fill=blue!10, thick] {\textbf{Private Hosted Zone (example.internal)}}; \node (vpc1) [below left of=phz, xshift=-1cm] {VPC A (Production)}; \node (vpc2) [below of=phz] {VPC B (Staging)}; \node (vpc3) [below right of=phz, xshift=1cm] {VPC C (Shared)};
\draw[<->, thick] (phz) -- (vpc1);
\draw[<->, thick] (phz) -- (vpc2);
\draw[<->, thick] (phz) -- (vpc3);
\node[draw=none, fill=none, anchor=north] at (phz.north) {\mbox{Records: app.example.internal $\rightarrow$ 10.0.1.5}};\end{tikzpicture}
Definition-Example Pairs
- Conditional Forwarder: A rule that directs DNS queries to specific servers based on the domain name in the query.
- Example: Configuring Route 53 to send all queries ending in
.internal.corpto the corporate IP192.168.1.10via a Direct Connect gateway.
- Example: Configuring Route 53 to send all queries ending in
- Alias Record: A Route 53-specific record type that points a domain name to an AWS resource (like an ALB) instead of an IP.
- Example: Pointing
api.myapp.comtomy-load-balancer-123.us-east-1.elb.amazonaws.comso DNS updates automatically if the ELB IP changes.
- Example: Pointing
- Split-Horizon DNS: Providing different DNS responses for the same domain name depending on where the query originates.
- Example: Internal users resolve
portal.company.comto a private IP10.0.0.50, while external users resolve it to a public IP52.x.x.x.
- Example: Internal users resolve
Worked Examples
Setting up a Hybrid Outbound DNS Resolver
Scenario: An application in an AWS VPC needs to resolve the name database.corp.local which is hosted on a Windows DNS server on-premises.
- Create Outbound Endpoint: Select the VPC and provide at least two subnets (multi-AZ) for high availability.
- Assign Security Group: Ensure the Security Group allows outbound UDP/TCP port 53 traffic to your on-premises DNS CIDR.
- Create Rule:
- Rule Type: Forward
- Domain Name:
corp.local - Target IPs: The IP addresses of the on-premises DNS servers.
- Associate Rule: Attach the rule to the VPC where the application resides.
Checkpoint Questions
- Which AWS service is required to allow on-premises clients to resolve names in an AWS Private Hosted Zone?
- What is the minimum number of IP addresses required for a Route 53 Resolver Endpoint to maintain high availability?
- True/False: A Private Hosted Zone can be associated with VPCs in different AWS Accounts.
- What two VPC attributes must be enabled for Private Hosted Zones to function correctly?
▶Click to view answers
- Route 53 Resolver Inbound Endpoint.
- Two (spanning two different Availability Zones).
- True (using VPC association cross-account via CLI/API or RAM).
enableDnsHostnamesand
enableDnsSupport.
Muddy Points & Cross-Refs
- Recursive vs. Iterative: Route 53 is an authoritative DNS service, but the Resolver provides recursive resolution for VPC clients.
- Endpoint Connectivity: Remember that Resolver Endpoints require a networking path (VPN or Direct Connect) to reach on-premises IPs. They do not magically tunnel through the public internet.
- Cost Caution: Each Resolver Endpoint incurs an hourly fee per Elastic Network Interface (ENI). In multi-account setups, centralizing DNS in a single VPC and sharing rules via AWS Resource Access Manager (RAM) is often more cost-effective.
Comparison Tables
Inbound vs. Outbound Endpoints
| Feature | Inbound Endpoint | Outbound Endpoint |
|---|---|---|
| Direction | On-prem AWS | AWS On-prem |
| Purpose | Resolving VPC PHZs from local office | Resolving local office domains from VPC |
| Key Config | Security Group (Inbound Port 53) | Forwarding Rules + Target IPs |
| IP Requirement | ENIs in at least 2 AZs | ENIs in at least 2 AZs |
[!IMPORTANT] When configuring Outbound Endpoints, your Security Group must allow Outbound traffic on Port 53 (UDP/TCP) to your on-premises servers. When configuring Inbound Endpoints, it must allow Inbound traffic from your on-premises CIDR range.