Open in app

Sign in

Write

Sign in

Creating Outbound DNS Resolver For AWS S2S VPN

Uğur Akgül
4 min readNov 25, 2024

If you are using AWS with site-to-site VPN, then it means you are using hybrid cloud. And if you are using hybrid cloud you will surely need your private DNS records to be resolvable from the cloud side. Let’s take a look at how AWS solves this problem.

What is DNS Resolver ?

A DNS resolver is responsible for getting respective A records for the DNS records. And in AWS there is a service for that called Amazon Route 53 Resolver.

Amazon Route 53 Resolver responds recursively to DNS queries from AWS resources for public records, Amazon VPC-specific DNS names, and Amazon Route 53 private hosted zones, and is available by default in all VPCs.

as mentioned by AWS here.

There are two ways a resolver can work:

  • Inbound
  • Outbound

Based on your needs you can select one or both of the resolvers.

Inbound Resolver

This resolver can respond to your queries generated and forwarded from your network. If you have private hosted zone in AWS and have records inside, you can query that hosted zone via inbound resolver.

Credits to AWS

Outbound Resolver

This resolver can query your on-premise DNS resolver to get the records that you own in private network. Conditional forwarding means if you have any private records and want to query those records outside of the on-premise network, you can resolve that records with outbound resolver.

Credits to AWS.

In my case, I have on-premise network with on-premise DNS zone and records. On the other hand I also have public cloud workloads as well. I am using private EKS on AWS via site-to-site VPN. On one occasion, our team needed some private image that we held in our private registry, on-prem. That registry had private DNS record and can only be queried from the on-prem network. After some research I found out that Outbound Resolver can solve my problem.

Let’s see how did it help.

Creating and Using Outbound Resolver

After you sign in to the AWS console, you can go to the Route 53 Resolver service. In the main page, it will route you to the endpoint configuration.

Endpoint configuration page will look like this.

After you select which endpoint you want, in my case it was Outbound only

This is the next step in configuration.

This is the main page of the configuration here you will need to enter correct information for you endpoint.

  • Endpoint name: Endpoint name for resolver
  • VPC in the Region: Make sure to select your site-to-site VPN VPC.
  • Security Group: Create a fresh security group just for the resolver and select it here.
  • Endpoint Type: IPv4,IPv6 or DualStack. NOTE: You can specify IP address if you select DualStack. So I went with IPv4.
  • Protocols: Do53 or DoH. You can select Do53 by default because this is the default protocol in DNS. If you use DNS over HTTPS, that is a totally different case.
  • IP Addresses: Endpoint will ask you 2 different AZ located IP addresses. I recommend creating different subnets in different AZs and then assigning the IP addresses. If you want to specify IP addresses, you can do it in here.
Third step is the forwarding rules.

In the third step you need to create forwarding rules to apply when a DNS query is made.

  • Name: Rule name
  • Rule Type: Forward or System. Choose Forward to forward your DNS requests to your on-premise endpoint.
  • Domain Name: This is the domain name that forward rule will apply.
  • VPCs that use this role: Make sure to select your site-to-site VPN VPC.
  • Outbound Endpoint: This will be populated by AWS and is the Outbound Endpoint that you are creating now.
  • IP Address Type: Again this will be populated by AWS based on your stack selection. IPv4, IPv6 or dual stack.
  • Target IP addresses: This is the configuration where you say if this condition is met, forward this DNS query to this DNS server. You can add multiple targets(DNS servers)

After carefully reviewing and creating the endpoint. You are ready to make DNS queries to your on-premise network. If you configured correctly, when you make a query to a domain that you configured conditional forwarding for, that query will be forwarded by outbound resolver to your on-prem DNS.

And thus, you can resolve on-prem private DNS records.

Hope you will find this useful. If you have any questions you can reach out to me via mail or on linkedin!

Sign up to discover human stories that deepen your understanding of the world.

AWS
Route 53
DNS
Site To Site Vpn
Cloud

--

--

Uğur Akgül
Uğur Akgül

Written by Uğur Akgül

139 Followers
30 Following

Tech Lead, Platform Engineering @TurkNet // You can find me at https://www.linkedin.com/in/hikmetugurakgul/

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams