Route 53 Resolver

Resolve DNS records on remote network from AWS

Hi guys,
today we’ll talk about Route 53 and one of its great features, The Resolver.
But first.. let me explain why I decided to write this article.

In the last days I have worked on a new project where there are 2 main infrastructure, the first one on AWS while the other one on VMware. In the latter infra there is a dns server and we need that some Lambda functions in AWS communicates with endpoints whose dns records are managed by the DNS Server on VMware.

To deal with this situation we have decided to use a really interesting and easy to deploy service: Route 53 Resolver.

Route 53 resolver has two purposes:
1. allows DNS queries from your VPC to your network -> Using OUTBOUND endpoint
2. Allows DNS queries to your VPC from your network -> Using INBOUND endpoint

Now I will show you the simple steps to follow to deploy an outbound endpoint to send DNS queries to your remote network

My face when i realized how simple it was

First of all, let’s make sure we meet the prerequisites :

1. Don’t use custom DNS on AWS. This procedure is not valid with custom DNS.
2. Make sure you have enabled DNS Resolution in the dns support attributes for the VPC where you want to create an outbound endpoint.

Right Click on your VPC then ‘Edit DNS Resolution’

Ok, we can start :

1. Open our Route 53 console

• Choose the Region where you want to enable the resolver
• In the navigation panel (on the left) click on Outbound Endpoint

2. In ‘General Settings’ you should select the VPC where all outbound DNS queries will flow and the security group that will allow traffic.

• In ‘IP Addresses’ section you can choose 3 private IP to assign to improve reliability.
  It will make you choose two IP but to follow best practice you could add a third ip address and use 3 different AZ’s.

‘You can let the Resolver choose IP addresses for you from the available IP addresses in the subnet, or specify IP addresses yourself.’

3. Now, choose ‘Create Rule’

• In ‘Rule for outbound traffic’ section choose ‘Rule Type’ Forward
• In ‘Domain Name’ section write the name of the domain you should reach.
• In ‘VPC that use this rule’ section select your VPC. The VPC doesn’t need to be the same VPC where you created the outbound endpoint.

4. Now you should select your target so go to the bottom of page and write the IP address to which DNS queries will be forwarded.

We have finished to deploy outbound endpoint. All you need to do is test this solution so go to any ec2 instance and type one of these two commands :

dig recordname recordtype
(e.g. dig test.example.com A)

nslookup -type=recordtype recordname
(e.g. nslookup -type=A test.example.com)

If that doesn’t work :
1. check your security group and NACL (Network Access Control list)
2. Check route table inside VPC you are using.
3. Make sure there is a connection between the 2 networks (VPN or DirectConnect)