Forwarding outbound DNS queries to your network
To forward DNS queries that originate on Amazon EC2 instances in one or more VPCs to your network, you create an outbound endpoint and one or more rules:
- Outbound endpoint
To forward DNS queries from your VPCs to your network, you create an outbound endpoint. An outbound endpoint specifies the IP addresses that queries originate from. Those IP addresses, which you choose from the range of IP addresses available to your VPC, aren't public IP addresses. This means that, for each outbound endpoint, you need to connect your VPC to your network using AWS Direct Connect connection, a VPN connection, or a network address translation (NAT) gateway. Note that you can use the same outbound endpoint for multiple VPCs in the same Region, or you can create multiple outbound endpoints. If you want your outbound endpoint to use DNS64, you can enable DNS64 using Amazon Virtual Private Cloud. For more information, see DNS64 and NAT64 in the Amazon VPC User Guide.
The target IP from the Route 53 Resolver rule is chosen at random by Resolver and there is no preference on choosing a particular target IP over the other. If a target IP does not respond to the DNS request forwarded, the Resolver will retry to a random IP address among the target IPs.
- Rules
To specify the domain names of the queries that you want to forward to DNS resolvers on your network, you create one or more rules. Each rule specifies one domain name. You then associate rules with the VPCs for which you want to forward queries to your network.
For more information, see the following topics:
Configuring outbound forwarding
To configure Resolver to forward DNS queries that originate in your VPC to your network, perform the following procedures.
Important
After you create an outbound endpoint, you must create one or more rules and associate them with one or more VPCs. Rules specify the domain names of the DNS queries that you want to forward to your network.
To create an outbound endpoint
Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/
. In the navigation pane, choose Outbound endpoints.
On the navigation bar, choose the Region where you want to create an outbound endpoint.
Choose Create outbound endpoint.
Enter the applicable values. For more information, see Values that you specify when you create or edit outbound endpoints.
Choose Create.
Note
Creating an outbound endpoint takes a minute or two. You can't create another outbound endpoint until the first one is created.
Create one or more rules to specify the domain names of the DNS queries that you want to forward to your network. For more information, see the next procedure.
To create one or more forwarding rules, perform the following procedure.
To create forwarding rules and associate the rules with one or more VPCs
Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/
. In the navigation pane, choose Rules.
On the navigation bar, choose the Region where you want to create the rule.
Choose Create rule.
Enter the applicable values. For more information, see Values that you specify when you create or edit rules.
Choose Save.
To add another rule, repeat steps 4 through 6.
Values that you specify when you create or edit outbound endpoints
When you create or edit an outbound endpoint, you specify the following values:
- Outpost ID
If you are creating the endpoint for a Resolver on an AWS Outposts VPC, this is the AWS Outposts ID.
- Endpoint name
A friendly name that lets you easily find an outbound endpoint on the dashboard.
- VPC in the region-name Region
All outbound DNS queries will flow through this VPC on the way to your network.
- Security group for this endpoint
-
The ID of one or more security groups that you want to use to control access to this VPC. The security group that you specify must include one or more outbound rules. Outbound rules must allow TCP and UDP access on the port that you're using for DNS queries on your network. You can't change this value after you create an endpoint.
Some security group rules will cause your connection to be tracked and potentially impact the maximum queries per second from outbound endpoint to your target name server. To avoid connection tracking caused by a security group, see Untracked connections.
For more information, see Security groups for your VPC in the Amazon VPC User Guide.
- Endpoint type
The endpoint type can be either IPv4, IPv6, or dual-stack IP addresses. For a dual-stack endpoint, the endpoint will have both IPv4 and IPv6 address that your DNS resolver on your network can forward DNS query to.
Note
For security reasons, we are denying direct IPv6 traffic access to the public internet for all dual-stack and IPv6 IP addresses.
- IP addresses
The IP addresses in your VPC that you want Resolver to forward DNS queries to on the way to resolvers on your network. These are not the IP addresses of the DNS resolvers on your network; you specify resolver IP addresses when you create the rules that you associate with one or more VPCs. We require you to specify a minimum of two IP addresses for redundancy.
Note
Resolver endpoint has a private IP address. These IP addresses will not change through the course of an endpoint's life.
Note the following:
- Multiple Availability Zones
We recommend that you specify IP addresses in at least two Availability Zones. You can optionally specify additional IP addresses in those or other Availability Zones.
- IP addresses and Amazon VPC elastic network interfaces
For each combination of Availability Zone, Subnet, and IP address that you specify, Resolver creates an Amazon VPC elastic network interface. For the current maximum number of DNS queries per second per IP address in an endpoint, see Quotas on Route 53 Resolver. For information about pricing for each elastic network interface, see "Amazon Route 53" on the Amazon Route 53 pricing page
. - Order of IP addresses
You can specify IP addresses in any order. When forwarding DNS queries, Resolver doesn't choose IP addresses based on the order that the IP addresses are listed in.
For each IP address, specify the following values. Each IP address must be in an Availability Zone in the VPC that you specified in VPC in the region-name Region.
- Availability Zone
The Availability Zone that you want DNS queries to pass through on the way to your network. The Availability Zone that you specify must be configured with a subnet.
- Subnet
The subnet that contains the IP address that you want DNS queries to originate from on the way to your network. The subnet must have an available IP address.
The subnet IP address must match the Endpoint type.
- IP address
The IP address that you want DNS queries to originate from on the way to your network.
Choose whether you want Resolver to choose an IP address for you from among the available IP addresses in the specified subnet, or you want to specify the IP address yourself.
If you choose to specify the IP address yourself, enter an IPv4 or IPv6 address, or both.
- Protocols
Endpoint protocol determines how data is transmitted from the outbound endpoint. Choose a protocol, or protocols, depending on the level of security needed.
Do53: (Default) The data is relayed using the Route 53 Resolver without additional encryption. While the data cannot be read by external parties, it can be viewed within the AWS networks.
DoH: The data is transmitted over an encrypted HTTPS session. DoH adds an added level of security where data can't be decrypted by unauthorized users, and can't be read by anyone except the intended recipient.
For an outbound endpoint you can apply the protocols as follows:
Do53 and DoH in combination.
Do53 alone.
DoH alone.
None, which is treated as Do53.
- Tags
Specify one or more keys and the corresponding values. For example, you might specify Cost center for Key and specify 456 for Value.
Values that you specify when you create or edit rules
When you create or edit a forwarding rule, you specify the following values:
- Rule name
A friendly name that lets you easily find a rule on the dashboard.
- Rule type
Choose the applicable value:
Forward – Choose this option when you want to forward DNS queries for a specified domain name to resolvers on your network.
System – Choose this option when you want Resolver to selectively override the behavior that is defined in a forwarding rule. When you create a system rule, Resolver resolves DNS queries for specified subdomains that would otherwise be resolved by DNS resolvers on your network.
By default, forwarding rules apply to a domain name and all its subdomains. If you want to forward queries for a domain to a resolver on your network but you don't want to forward queries for some subdomains, you create a system rule for the subdomains. For example, if you create a forwarding rule for example.com but you don't want to forward queries for acme.example.com, you create a system rule and specify acme.example.com for the domain name.
- VPCs that use this rule
The VPCs that use this rule to forward DNS queries for the specified domain name or names. You can apply a rule to as many VPCs as you want.
- Domain name
DNS queries for this domain name are forwarded to the IP addresses that you specify in Target IP addresses. For more information, see How Resolver determines whether the domain name in a query matches any rules.
- Outbound endpoint
Resolver forwards DNS queries through the outbound endpoint that you specify here to the IP addresses that you specify in Target IP addresses.
- Target IP addresses
When a DNS query matches the name that you specify in Domain name, the outbound endpoint forwards the query to the IP addresses that you specify here. These are typically the IP addresses for DNS resolvers on your network.
Target IP addresses is available only when the value of Rule type is Forward.
Specify IPv4 or IPv6 addresses, the protocols, and ServerNameIndication you want to use for the endpoint. ServerNameIndication is applicable only when selected protocol is DoH.
Resolving the target IP address of the FQDN of a DoH resolver on your network over the outbound endpoint is not supported. Outbound endpoints need the target IP address of DoH resolver on your network to forward the DoH queries to. If the DoH resolver on your network needs the FQDN in the TLS SNI and in the HTTP Host header, ServerNameIndication must be provided.
- ServerNameIndication
The Server Name Indication of the DoH server that you want to forward queries to. This is only used if the Protocol is DoH.
- Tags
Specify one or more keys and the corresponding values. For example, you might specify Cost center for Key and specify 456 for Value.
These are the tags that AWS Billing and Cost Management provides for organizing your AWS bill. For more information about using tags for cost allocation, see Using cost allocation tags in the AWS Billing User Guide.