AWS - Hybrid DNS

Introduction

Domain Name System (DNS) is a foundational element of the internet which acts as a concierge when looking for name resolution, rather than memorizing the large quantities of IP addresses for the servers and services in your network or the Internet. This document highlights hybrid DNS resolution, including Microsoft Active Directory Domain Services (AD DS), using DNS name resolution services to make it possible for services inside and outside of AWS to resolve namespaces.

Many organizations have both on-premises resources and resources in the cloud. DNS name resolution is essential for on-premises and cloud-based resources. If you have hybrid workloads, extra steps are necessary to configure DNS to work seamlessly across both environments.

Key Concepts

Elastic Network Interfaces (ENIs)

Virtual network interfaces in a VPC that obtain an IP address from DHCP or can be assigned static IPs from the subnet range.

Endpoints & Conditional Forwarding Rules

Route 53 Resolver can perform recursive searches on public and local name servers. Endpoints are created by placing an ENI (and IP address) in each subnet where you want to provide a resolver.

Inbound Endpoints

For inbound (from on-premises to AWS) DNS queries. The Resolver endpoint feature allows DNS queries to resolve domains hosted on AWS. Requires connectivity through Direct Connect or VPN.

Outbound Endpoints

For outbound (from AWS to on-premises) DNS queries. Conditional forwarding rules are triggered when a query matches configured domains, forwarding to on-premises DNS servers.

Private Hosted Zone

A container in Route 53 that holds DNS records for a domain and its subdomains within one or more VPCs.

Amazon VPC DHCP Options Set

Configuration parameters including domain-name-servers, domain name, ntp-servers, and netbios-node-type. You can specify up to four DNS servers applied to the whole VPC.

Prerequisites

• Network connectivity between on-premises and AWS via VPN or Direct Connect
• DNS host names and resolutions enabled in VPC DNS support attributes
• Private hosted zone with records attached to VPC(s) with active resources
• Security group for inbound endpoint allowing TCP/UDP port 53 from on-premises IPs
• Security group for outbound endpoint allowing TCP/UDP port 53 to on-premises DNS servers

On-Premises to AWS Resolution

AWS - Resolver Inbound Endpoint

1. Navigate to the Route 53 console and click Inbound endpoints
2. Click Create inbound endpoint
3. Enter a name for the endpoint
4. Select a VPC through which all inbound DNS queries will flow
5. Set the security group (from prerequisites)
6. Specify the IP addresses of the endpoint
   • For reliability, Resolver requires two IP addresses across different availability zones
7. Set tags if required and click Submit

On-Premises - DNS Conditional Forwarder

1. Navigate to your on-premises DNS server and create a conditional forwarder
2. In the DNS Domain field, enter the domain name of the private hosted zone
3. Input the IP addresses of the endpoints created above
4. Select "Store this conditional forwarder in Active Directory" for replication

AWS to On-Premises Resolution

AWS - Resolver Outbound Endpoint

1. Navigate to the Route 53 console and click Outbound endpoints
2. Click Create outbound endpoint
3. Follow the same steps as inbound endpoint, using the outbound security group

Resolver Rule

1. Navigate to the Route 53 Console and click Rules
2. Click Create rule
3. Enter a friendly name for the Resolver rule
4. Select the Forward rule type
5. Specify the domain name of the on-premises network
6. Select the VPC(s) to associate with this rule
7. Select the outbound endpoint created above
8. Input the Target IP addresses of on-premises DNS servers

Best Practices

• In ADDS, use domain controllers as DNS servers for dynamic update support
• Maintain local DNS name resolution in the AWS Region to reduce latency
• Share centralized Route 53 Resolver endpoints across all VPCs in your organization
• Create conditional forwarders on local DNS servers for all Route 53 DNS zones
• Use Amazon Route 53 as a conditional forwarder for domains not authorized on your DNS servers
• Use Route 53 Resolver endpoints to create a DNS resolution hub

Troubleshooting

• On-prem can't resolve AWS private hosted zone - Verify the conditional forwarder points to the inbound endpoint IPs. Check that the security group allows port 53 from on-premises.
• AWS resources can't resolve on-prem domains - Verify the outbound endpoint and resolver rule are configured. Check that on-premises DNS servers are reachable and the security group allows outbound port 53.
• Intermittent resolution failures - Ensure you have endpoints in multiple AZs. Check that both endpoint IPs are configured in conditional forwarders.
• Resolution works but is slow - Check if queries are going to remote domain controllers. Verify AD sites and subnets are correctly configured.
• Private hosted zone not resolving - Verify the private hosted zone is associated with the VPC. Check that DNS hostnames and DNS resolution are enabled in VPC settings.
• Resolver rule not matching - Verify the domain name in the rule matches exactly. Rules are case-insensitive but must match the domain structure.

Conclusion

For organizations with ADDS, operating in a hybrid architecture is a necessary part of the cloud adoption process. Route 53 outbound and inbound endpoints, combined with ADDS conditional forwarders, provide seamless DNS resolution between on-premises and AWS environments.