Using a custom DNS server for outbound network access - Amazon Relational Database Service

Using a custom DNS server for outbound network access

Amazon RDS for PostgreSQL supports outbound network access on your DB instances and allows Domain Name Service (DNS) resolution from a custom DNS server owned by the customer. You can resolve only fully qualified domain names from your Amazon RDS DB instance through your custom DNS server.

Enabling custom DNS resolution

To enable DNS resolution in your customer VPC, associate a custom DB parameter group to your RDS for PostgreSQL instance, turn on the rds.custom_dns_resolution parameter by setting it to 1, and then restart the DB instance for the changes to take place.

Disabling custom DNS resolution

To disable DNS resolution in your customer VPC, turn off the rds.custom_dns_resolution parameter of your custom DB parameter group by setting it to 0, then restart the DB instance for the changes to take place.

Setting up a custom DNS server

After you set up your custom DNS name server, it takes up to 30 minutes to propagate the changes to your DB instance. After the changes are propagated to your DB instance, all outbound network traffic requiring a DNS lookup queries your DNS server over port 53.

Note

If you don't set up a custom DNS server, and rds.custom_dns_resolution is set to 1, hosts are resolved using a Route 53 private zone. For more information, see Working with private hosted zones.

To set up a custom DNS server for your Amazon RDS for PostgreSQL DB instance

  1. From the DHCP options set attached to your VPC, set the domain-name-servers option to the IP address of your DNS name server. For more information, see DHCP options sets.

    Note

    The domain-name-servers option accepts up to four values, but your Amazon RDS DB instance uses only the first value.

  2. Ensure that your DNS server can resolve all lookup queries, including public DNS names, Amazon EC2 private DNS names, and customer-specific DNS names. If the outbound network traffic contains any DNS lookups that your DNS server can't handle, your DNS server must have appropriate upstream DNS providers configured.

  3. Configure your DNS server to produce User Datagram Protocol (UDP) responses of 512 bytes or less.

  4. Configure your DNS server to produce Transmission Control Protocol (TCP) responses of 1024 bytes or less.

  5. Configure your DNS server to allow inbound traffic from your Amazon RDS DB instances over port 53. If your DNS server is in an Amazon VPC, the VPC must have a security group that contains inbound rules that allow UDP and TCP traffic on port 53. If your DNS server is not in an Amazon VPC, it must have appropriate firewall settings to allow UDP and TCP inbound traffic on port 53.

    For more information, see Security groups for your VPC and Adding and removing rules.

  6. Configure the VPC of your Amazon RDS DB instance to allow outbound traffic over port 53. Your VPC must have a security group that contains outbound rules that allow UDP and TCP traffic on port 53.

    For more information, see Security groups for your VPC and Adding and removing rules.

  7. The routing path between the Amazon RDS DB instance and the DNS server has to be configured correctly to allow DNS traffic.

    If the Amazon RDS DB instance and the DNS server are not in the same VPC, a peering connection has to be set up between them. For more information, see What is VPC peering?