Mastering Hybrid DNS: AWS Route 53 Resolver Endpoints and Private Hosted Zones
Design DNS solutions that meet public, private, and hybrid requirements
Mastering Hybrid DNS: AWS Route 53 Resolver Endpoints and Private Hosted Zones
This lab guides you through designing and implementing a hybrid DNS solution. You will configure Amazon Route 53 to resolve queries between an AWS VPC and a simulated on-premises environment using Private Hosted Zones and Resolver Endpoints.
Prerequisites
- AWS Account: Active account with permissions to manage Route 53, VPC, and EC2.
- IAM Permissions:
AmazonVPCFullAccess,AmazonRoute53FullAccess, andAmazonRoute53ResolverFullAccess. - AWS CLI: Installed and configured with your credentials (
aws configure). - VPC Knowledge: Familiarity with subnets, security groups, and CIDR blocks.
Learning Objectives
- Create and associate a Private Hosted Zone (PHZ) with a VPC.
- Provision Inbound and Outbound Resolver Endpoints for hybrid connectivity.
- Configure Resolver Forwarding Rules to route traffic to external name servers.
- Implement security group rules required for DNS traffic (Port 53 TCP/UDP).
Architecture Overview
Step-by-Step Instructions
Step 1: Prepare the Security Group
Route 53 Resolver endpoints require a security group that allows inbound and outbound DNS traffic on Port 53.
# Create a security group
aws ec2 create-security-group \
--group-name "DNS-Resolver-SG" \
--description "Allow DNS traffic for Resolver Endpoints" \
--vpc-id <YOUR_VPC_ID>
# Allow Inbound UDP Port 53
aws ec2 authorize-security-group-ingress \
--group-id <SG_ID_FROM_PREVIOUS_STEP> \
--protocol udp --port 53 --cidr <VPC_CIDR_OR_ON_PREM_CIDR>
# Allow Inbound TCP Port 53
aws ec2 authorize-security-group-ingress \
--group-id <SG_ID_FROM_PREVIOUS_STEP> \
--protocol tcp --port 53 --cidr <VPC_CIDR_OR_ON_PREM_CIDR>▶Console alternative
Navigate to
. Add Inbound rules for
and
on port 53 from your VPC/On-prem source CIDRs.
Step 2: Create a Private Hosted Zone
This zone will handle internal DNS resolution for resources within your VPC.
# Create the PHZ
aws route53 create-hosted-zone \
--name "corp.internal" \
--vpc VPCRegion=<YOUR_REGION>,VPCId=<YOUR_VPC_ID> \
--caller-reference $(date +%s) \
--hosted-zone-config PrivateZone=true[!TIP] Ensure that
enableDnsHostnamesandenableDnsSupportare set totruein your VPC settings, or PHZ resolution will fail.
Step 3: Provision an Outbound Resolver Endpoint
Outbound endpoints allow AWS to forward queries for specific domains (like onprem.local) to your data center.
aws route53resolver create-resolver-endpoint \
--name "Hybrid-Outbound-EP" \
--direction OUTBOUND \
--security-group-ids <SG_ID_FROM_STEP_1> \
--ip-addresses SubnetId=<SUBNET_ID_1> SubnetId=<SUBNET_ID_2>[!IMPORTANT] For high availability, you MUST specify at least two IP addresses in different Availability Zones.
Step 4: Configure a Forwarding Rule
Define which domain queries should be sent to the on-premises DNS server.
aws route53resolver create-resolver-rule \
--name "ForwardToOnPrem" \
--rule-type FORWARD \
--domain-name "onprem.local" \
--target-ips Ip=<ON_PREM_DNS_IP> \
--resolver-endpoint-id <OUTBOUND_ENDPOINT_ID_FROM_STEP_3>
# Associate the rule with your VPC
aws route53resolver associate-resolver-rule \
--resolver-rule-id <RULE_ID> \
--vpc-id <YOUR_VPC_ID>Checkpoints
| Verification Step | Command / Action | Expected Result |
|---|---|---|
| Check PHZ | aws route53 list-hosted-zones-by-name --dns-name corp.internal | Should return JSON with the zone ID. |
| Verify Endpoint Status | aws route53resolver get-resolver-endpoint --resolver-endpoint-id <ID> | Status should be OPERATIONAL. |
| Test Resolution | Run dig test.corp.internal from an EC2 in the VPC | Should return the record defined in Step 2. |
Clean-Up / Teardown
[!WARNING] Failure to delete Resolver Endpoints will result in hourly charges (~$0.125 per hour per ENI).
- Disassociate Rules:
aws route53resolver disassociate-resolver-rule --resolver-rule-id <RULE_ID> --vpc-id <VPC_ID> - Delete Rules:
aws route53resolver delete-resolver-rule --resolver-rule-id <RULE_ID> - Delete Outbound Endpoint:
aws route53resolver delete-resolver-endpoint --resolver-endpoint-id <ID> - Delete Hosted Zone:
aws route53 delete-hosted-zone --id <ZONE_ID> - Delete Security Group:
aws ec2 delete-security-group --group-id <SG_ID>
Troubleshooting
| Problem | Potential Cause | Fix |
|---|---|---|
| Connection Timeout | Security Group blocking Port 53 | Ensure both TCP and UDP Port 53 are open in the SG assigned to the Endpoint. |
| NXDOMAIN for PHZ | VPC DNS settings disabled | Enable enableDnsSupport and enableDnsHostnames on the VPC. |
Endpoint stuck in CREATING | Subnet issues | Ensure the selected subnets have available IP addresses and routes to the DNS target. |
Stretch Challenge
Task: Create an Inbound Resolver Endpoint. This allows your on-premises servers to query AWS Private Hosted Zones.
- Hint: Use
--direction INBOUNDin the CLI. You will receive two IP addresses. Configure your on-premises DNS as a conditional forwarder pointing to these AWS IPs for thecorp.internaldomain.
Cost Estimate
- Route 53 Resolver Endpoints: ~$0.125 per hour per Elastic Network Interface (ENI). A standard HA setup (2 subnets) costs ~$0.25/hour.
- Recursive Queries: $0.40 per million queries (after first 25 million).
- Hosted Zone: $0.50 per month per hosted zone.
Concept Review
| Service | Use Case | Key Feature |
|---|---|---|
| Public Hosted Zone | Internet-facing traffic | Standard DNS records (A, CNAME, etc.) |
| Private Hosted Zone | Internal VPC traffic | Isolated from the public internet |
| Inbound Endpoint | On-prem querying AWS | Acts as a DNS server inside the VPC |
| Outbound Endpoint | AWS querying On-prem | Forwards queries based on Rules |