Configuring Hybrid Name Resolution with AWS

This guide covers the architecture and implementation of Route 53 Resolver, the bridge between on-premises DNS environments and AWS Virtual Private Clouds (VPCs). Mastering this is critical for the AWS Certified Advanced Networking Specialty (ANS-C01) exam.

Learning Objectives

After studying this guide, you should be able to:

• Differentiate between Inbound and Outbound Resolver Endpoints.
• Configure Conditional Forwarding Rules for hybrid name resolution.
• Secure DNS traffic using Security Groups and Route 53 DNS Firewall.
• Design a bidirectional DNS architecture across Direct Connect or Site-to-Site VPN.

Key Terms & Glossary

• Route 53 Resolver: A regional service that provides recursive DNS lookups for VPCs and enables hybrid DNS.
• Inbound Endpoint: Allows on-premises DNS servers to forward queries to Route 53 (On-prem → AWS).
• Outbound Endpoint: Allows Route 53 to forward queries to on-premises DNS servers (AWS → On-prem).
• Forwarding Rule: A configuration on an outbound endpoint that tells the resolver which domain queries should be sent to specific IP addresses (e.g., your on-prem DNS servers).
• Private Hosted Zone (PHZ): A DNS container for domain records that are only visible within specified VPCs.

The "Big Idea"

In a hybrid cloud environment, resources are split between data centers and the cloud. Without a unified DNS strategy, an EC2 instance cannot resolve database.internal.corp, and an on-premises server cannot resolve web.aws.internal. Route 53 Resolver acts as the "intelligent switchboard," routing DNS queries across the hybrid link (VPN or Direct Connect) so that both environments appear as a single, contiguous namespace.

Formula / Concept Box

Hierarchical Outline

1. Route 53 Resolver Fundamentals
   • Default behavior: Resolves public names and PHZs associated with the VPC.
   • The .2 Resolver: Amazon-provided DNS at the VPC network range plus 2 (e.g., 10.0.0.2).
2. Inbound Resolver Endpoints
   • Function: Entry point for queries originating outside AWS.
   • Architecture: Assigned ENIs (Elastic Network Interfaces) in your VPC subnets.
   • Use Case: On-prem apps needing to reach resources in an AWS Private Hosted Zone.
3. Outbound Resolver Endpoints
   • Function: Exit point for queries originating inside AWS.
   • Forwarding Rules: Define which domains (e.g., *.corp) go to which on-prem IPs.
   • System Rules: Override forwarding to keep certain queries local to AWS.
4. Security and Management
   • Security Groups: Must allow inbound/outbound TCP/UDP 53.
   • DNS Firewall: Filter domain queries to prevent data exfiltration.
   • Resource Access Manager (RAM): Share resolver rules across multiple AWS accounts.

Visual Anchors

Hybrid DNS Query Flow

Network Path Representation

Definition-Example Pairs

• Conditional Forwarding: Sending DNS queries for a specific domain to a specific server.
  • Example: An AWS Outbound Rule stating that any query ending in .onprem.local must be sent to 192.168.1.10.
• Recursive DNS: A DNS server that queries other servers on behalf of a client until it finds the answer.
  • Example: When you query google.com, the Route 53 Resolver performs the recursive steps (Root → TLD → Authoritative) for you.
• DNS Firewall Rule Group: A collection of rules that allow or block DNS queries based on domain lists.
  • Example: Blocking all queries to malware-site.com across all VPCs in an organization.

Worked Examples

Scenario: Connecting a VPC to a Corporate Data Center

Goal: An EC2 instance in vpc-123 (CIDR 10.0.0.0/16) needs to resolve srv1.corp.local located in a data center (IP 172.16.0.50).

1. Establish Connectivity: Ensure a Site-to-Site VPN is "Up" between the VPC and the Data Center.
2. Create Outbound Endpoint:
   • Select vpc-123.
   • Assign two subnets (e.g., us-east-1a and us-east-1b) for high availability.
   • AWS assigns IPs (e.g., 10.0.1.5 and 10.0.2.5).
3. Configure Security Group:
   • Attach a Security Group to the endpoint allowing Outbound UDP/TCP 53 to 172.16.0.50.
4. Create Forwarding Rule:
   • Domain Name: corp.local.
   • Rule Type: Forward.
   • Target IPs: 172.16.0.50.
5. Test: From the EC2 instance, run dig srv1.corp.local. The resolver sees the .corp.local suffix, matches the rule, and sends the query through the Outbound Endpoint ENI to the on-prem server.

Checkpoint Questions

1. Which Route 53 component is required if you want your on-premises servers to resolve names in an AWS Private Hosted Zone?
2. What is the minimum number of IP addresses/Availability Zones required for a Route 53 Resolver Endpoint to be considered highly available?
3. You have a forwarding rule for example.com but want internal.example.com to stay within AWS. What type of rule should you create?
4. True/False: Route 53 Resolver Endpoints require a Public IP address to function over Direct Connect.

▶Click for Answers

1. Inbound Resolver Endpoint.
2. Two (2).
3. A System Rule (which forces the resolver to use default VPC resolution for that specific subdomain).
4. False. Endpoints use private ENIs and communicate over the private VIF or VPN tunnel.

Muddy Points & Cross-Refs

• Recursive vs. Forwarding: Users often confuse the two. Remember: Recursive is the process of finding the answer; Forwarding is just passing the buck to a specific server that knows the answer.
• PHZ Association: Simply creating an Inbound Endpoint isn't enough; your Private Hosted Zone must be associated with the VPC where the endpoint resides.
• Overlap with DHCP Options Sets: You could change the DNS servers in a VPC via DHCP Options, but this is less flexible than Route 53 Resolver and can break AWS-specific features like Instance Metadata lookups.

Comparison Tables

Inbound vs. Outbound Endpoints

Comparison of Rule Types