Forwarding AWS Name Resolution Requests to On-Premises DNS

One of the problems that often comes into play with regard to hybrid networks is that of routing traffic between cloud resources and on-premises networks.

While the process of establishing a network path between two networks tends to be somewhat straightforward, DNS name resolution can be an issue. After all, resources within AWS or other clouds know nothing about endpoints on your private network.

One way to solve this problem within AWS is to create and endpoint and forwarding rules that allow AWS to forward certain DNS queries to your on-premises DNS servers.

The easiest way to go about forwarding name resolution requests is to create an outbound Route 53 endpoint. This endpoint, along with a series of rules, can forward DNS queries originating within a VPC to your on-premises network.

To get started, log into AWS and open the Route 53 console. When the Route 53 Dashboard opens, click on the Outbound Endpoints tab, located on the left side of the screen. When AWS opens the Route 53 Resolver screen, take a second to verify that you are working within the desired region, and then click on the Configure Endpoints button.

At this point, you will be taken to a screen like the one shown in Figure 1. As you can see in the figure, this screen walks you through the process of configuring an endpoint. The first step is to specify the direction of the DNS queries. Since the queries will originate within a VPC and be sent to a private network, choose the Outbound only option and click Next.

[Click on image for larger view.] Figure 1: Choose the Outbound Only Option and Click Next.

As you look at the above screen capture, you will notice that Step 2 is to configure an inbound endpoint. Because we are only configuring an outbound endpoint, AWS will skip this step and take you directly to Step 3, Configure Outbound Endpoint.

The first thing that you will need to do in creating an outbound endpoint is to provide a name for the endpoint that you are creating. Once you have entered a name, you will need to select the VPC with which you want to associate the endpoint. Make your selection carefully, because you won't be able to choose a different VPC later on. All outbound queries will pass through the VPC that you choose here, regardless of where those queries originate.

Once you have selected the VPC that you want to use, you will need to choose which security group will control access to the VPC. Again, you won't be able to switch to a different security group later on, so be sure to make your selection carefully.

Finally, you will need to choose the endpoint type. You can create an IPv4 endpoint, an IPv6 endpoint or a dual stack endpoint. You can see what these configuration options look like in Figure 2.

[Click on image for larger view.] Figure 2: You Will Need to Provide an Endpoint Name and then Choose your VPC, Security Group and Endpoint Type.

Scroll down and you will see the IP Addresses section. Here, you must select an availability zone and a corresponding subnet for outbound queries to use. Amazon requires you to provide a minimum of two availability zones for the sake of reliability, but you can specify additional availability zones if you like. It is also worth noting that the wizard is designed to select an IP address automatically, but you can manually specify an address if you have the need.

[Click on image for larger view.] Figure 3: You Will Need to Specify Which Availability Zones and Subnets the Endpoint Will Use.

Click Next, and you will be taken to the Create Rule screen. A rule is the mechanism that will instruct the endpoint to forward the DNS query to your preferred DNS server. The first thing that you will need to do is to enter a name for the rule that you are creating. You will also need to specify a rule type. Typically the rule type will need to be set to Forward.

The next thing that you will need to do is to enter a domain name that you use on your on-premises network. Any requests associated with that domain name will be forwarded to the address that you specify later in the rule. If you have multiple domains on-premises, you can create multiple rules to handle them.

Once you have specified a domain name, you will need to tell AWS which VPCs are going to be allowed to use the rule. You can associate the rule with as many VPCs as you like. You can see what these options look like in Figure 4.

[Click on image for larger view.] Figure 4: You Will Need to Populate the Various Fields Associated with the Rule.

Scroll down a bit and you will find a Target IP Address field. Here, you should enter the IP address of the DNS server to which you want to forward queries.

When you are done, click Next and you will see a summary screen outlining all of your configuration options. Take a moment to verify the information on this screen and then click the Submit button to complete the process.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.


Subscribe on YouTube