AWS – Hybrid DNS

by arun danielin DNSon Posted on

Route 53 & On-Premise DNS Integration

Introduction

Domain Name System (DNS) is a foundational element of the internet which acts as a concierge when looking for name resolution, rather than memorize the large quantities of IP addresses for the servers and services in your network or the Internet. The below document highlights hybrid DNS resolution, including Microsoft Active Directory Domain Services (AD DS), using DNS name resolution services to it make possible for services inside and outside of AWS to resolve namespaces. These solutions and recommendations help with workloads that require AD DS DNS resolution between on-premises data centers and objects in AWS.

Many organizations have both on-premises resources and resources in the cloud. DNS name resolution is essential for on-premises and cloud-based resources. If you have hybrid workloads which include on-premises and cloud-based resources, extra steps are necessary to configure DNS to work seamlessly across both environments. Architecting Microsoft Active Directory with AWS environments should be done with care as it is extremely important to define AD sites correctly, along with the respective subnets definitions for those sites. This mapping prevents the use of remote domain controllers for authentication/authorization, which adds latency for end-users and services that are not local to those domain controllers.

Key Concepts

Elastic network interfaces (ENIs)

Elastic network interfaces are virtual network interfaces in a VPC. A virtual network interface, such as any network adapter, is the interface that a device, such as an EC2, uses to connect to a network. These ENIs obtain an IP address from DHCP or you can assign one or more IP addresses that you choose (provided the IP address is part of the subnet range the ENI sits in).

Endpoints & Conditional Forwarding Rules

Route 53 provides several DNS features such as public DNS domain registration, the ability to create private DNS zones, use of hybrid DNS tools, and DNS name resolution. With DNS name resolution, Route 53 Resolver can perform recursive searches on public and local name servers. Endpoints are created and configured by placing an elastic network interface (ENI), and in lieu, an IP address to each subnet for which you want to provide a resolver. In AWS Route 53, there are two types of endpoints: Inbound and Outbound.

Inbound Endpoints

For inbound (from on-premises to AWS) the Resolver endpoint feature allows DNS queries to resolve domains hosted on AWS. To take advantage of this feature, connectivity must be established between the local DNS infrastructure and AWS through AWS Direct Connect or a Virtual Private Network (VPN).

Outbound Endpoints

For outbound (from AWS to on-premises) DNS queries, the use of conditional forwarding rules comes into play. Domains hosted in on-premises DNS can be configured as routing rules in Route 53 Resolver. The rules are triggered when a query is made for one of these domains, and in turn the query is forwarded to the DNS servers configured with the rules.

Private hosted zone

A private hosted zone in AWS Route 53 is a container that holds information on objects you want DNS queries to resolve for a domain and its subdomains within one or more VPCs.

Amazon VPC DHCP options set

The Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP / IP network. The Options field of a DHCP message contains configuration parameters such as domain-name-servers, domain name, ntp-servers, and netbios-node-type. In any Amazon VPC, you can create DHCP options sets and specify up to four DNS servers. These options sets are created and applied to the whole VPC.

Prerequisites

  • Network connectivity between your on-premises network and AWS via a VPN connection or Direct Connect
  • Enable DNS host names and resolutions in the DNS support attributes in the VPC in which you would create the endpoint
  • There’s at least one private hosted zone with the records you would like to resolve and the zone is attached to the VPC(s) with active resources that the DNS records point to
  • Per the inbound endpoint, a security group with inbound rules that allow incoming traffic from the on-premises network IP addresses via TCP/UDP port 53
  • Per the outbound endpoint, a security group with outbound rules that allow outgoing TCP/UDP traffic to the on-premises network IP addresses via the ports used by the on-premises network DNS servers.
    • By default, this is TCP/UDP port 53; however if other ports are used, configure them accordingly.

Note: While Route 53 hosted zones are global resources, Route 53 Resolver endpoints are regional resources.

On-Premises to AWS Resolution

AWS – Resolver Inbound Endpoint

  1. Navigate to the Route 53 console and click Inbound endpoints
  2. Click Create inbound endpoint
  3. Enter a name for the endpoint
  4. Select a VPC through which all the inbound DNS queries will flow on the way to the Resolver
  5. Set the security group (stated in the prerequisites)
  6. Specify the IP addresses of the endpoint
    • Following well architected framework, and to improve reliability, Resolver requires that you specify two IP addresses (two ENIs are created) for DNS queries which span across different availability zones
  7. Set the tags if required and click Submit to start the endpoint creation.

On-Premises – DNS

Allow your on-premises network DNS server to conditionally forward DNS queries for the AWS private hosted zone and private AWS resources to the IP addresses of the inbound endpoint created above

  1. Navigate to your on-premises network DNS server and create a conditional forwarder
  2. In the DNS Domain field, enter the domain name of the private hosted zone
  3. Input the IP addresses of the endpoints created above
  4. Select the Store this conditional forwarder in Active Directory option (allows replication with other DNS servers in the forest)

Note: To resolve private Amazon resources, domain names such as EC2 instances, EFS, etc., which are not publicly exposed, you can create another conditional forwarder with the DNS domain name of amazonaws.com.

Once the endpoint and the conditional forwarder are created, you are able to resolve domain names from your on-premises network against the records in the AWS private hosted zone.

AWS to On-Premises Resolution

AWS – Resolver Outbound Endpoint

  1. Navigate to the Route 53 console and click Outbound endpoints
  2. Click Create outbound endpoint
  3. Follow the same steps you followed in creating an inbound endpoint, but for the security group, select the security group you created earlier for the outbound endpoint

Resolver rule

  1. Navigate to the Route 53 Console and click Rules
  2. Click Create rule
  3. Enter a friendly name for the Resolver rule.
  4. Select the Forward rule type
  5. Specify the domain name of the on-premises network
  6. Select the VPC(s) to which this rule will be associated
  7. Select the outbound endpoint you created above
  8. Input the Target IP addresses of the on-premises network DNS servers

Once the configurations and the rules are created, you are able to resolve domain names from the AWS VPCs you specified in the rule configuration against the on-premises network.

Additional considerations

  • In ADDS, use domain controllers as DNS servers, because domain controllers support features such as dynamic updates from Windows DNS clients
  • Try to maintain local DNS name resolution in the AWS Region to reduce latency
  • Share centralized Route 53 Resolver endpoints across all VPCs in your organization
  • Create conditional forwarders on local DNS servers for all Route53 DNS zones and DNS zones in AWS Managed AD (or AD DS in EC2 on-premises) and point them to the Route 53 resolver endpoints
  • Use Amazon Route 53 as a conditional forwarder for all other DNS domains that are not authorized on your DNS servers on AD domain controllers so that your domain controllers can recursively resolve records in the Amazon Route 53 private zone and use the Route 53 Resolver conditional forwarders
  • Use Route 53 Resolver endpoints to create a DNS resolution hub and manage DNS traffic by creating conditional forwarders

Conclusion

For organizations with ADDS, operating in a hybrid architecture is a necessary part of the cloud adoption process. The solutions provided above show how to use Route 53 outbound and inbound endpoints, and the integration of ADDS with conditional forwarders.

Leave a Comment

Your email address will not be published. Required fields are marked *