Amazon Route 53
Developer Guide (API Version 2013-04-01)

Resolving DNS Queries Between VPCs and Your Network

When you create a VPC using Amazon VPC, you automatically get DNS resolution within the VPC from Route 53 Resolver. By default, Resolver answers DNS queries for VPC domain names such as domain names for EC2 instances or ELB load balancers. Resolver performs recursive lookups against public name servers for all other domain names.

You can also configure DNS resolution between your VPC and your network over a Direct Connect or VPN connection:

Forward DNS queries from resolvers on your network to Route 53 Resolver

DNS resolvers on your network can forward DNS queries to Resolver in a specified VPC. This allows your DNS resolvers to easily resolve domain names for AWS resources such as EC2 instances or records in a Route 53 private hosted zone. For more information, see How DNS Resolvers on Your Network Forward DNS Queries to Route 53 Resolver.

Conditionally forward queries from a VPC to resolvers on your network

You can configure Resolver to forward queries that it receives from EC2 instances in your VPCs to DNS resolvers on your network. To forward selected queries, you create Resolver rules that specify the domain names for the DNS queries that you want to forward (such as example.com), and the IP addresses of the DNS resolvers on your network that you want to forward the queries to. If a query matches multiple rules (example.com, apex.example.com), Resolver chooses the rule with the most specific match (apex.example.com) and forwards the query to the IP addresses that you specified in that rule. For more information, see How Route 53 Resolver Forwards DNS Queries from Your VPCs to Your Network.

Like Amazon VPC, Resolver is regional. In each region where you have VPCs, you can choose whether to forward queries from your VPCs to your network (outbound queries), from your network to your VPCs (inbound queries), or both.

Note

Resolver doesn't support VPC dedicated instances.

To use inbound or outbound forwarding, you create a Resolver endpoint in your VPC, and Resolver automatically creates a VPC elastic network interface. For an overview of VPC network interfaces, see Elastic Network Interfaces in the Amazon VPC User Guide.

Topics

How DNS Resolvers on Your Network Forward DNS Queries to Route 53 Resolver

When you want to forward DNS queries from your network to Route 53 Resolver in an AWS Region, you perform the following steps:

  1. You create a Route 53 Resolver inbound endpoint in a VPC. DNS queries pass through this VPC on the way to Resolver. For the inbound endpoint, you specify the IP addresses that the resolvers on your network forward DNS queries to.

    Resolver creates a VPC elastic network interface in the VPC where you created the inbound endpoint.

  2. You configure resolvers on your network to forward DNS queries for the applicable domain names to the IP addresses that you specified in the inbound endpoint. For more information, see How to Choose the VPC That DNS Queries Pass Through.

Here's how Resolver resolves DNS queries that originate on your network:

  1. A web browser or another application on your network submits a DNS query for a domain name that you forwarded to Resolver.

  2. A resolver on your network forwards the query to the IP addresses in your inbound endpoint.

  3. The inbound endpoint forwards the query to Resolver.

  4. Resolver gets the applicable value for the domain name in the DNS query, either internally or by performing a recursive lookup against public name servers.

  5. Resolver returns the value (typically an IPv4 IP address) to the inbound endpoint.

  6. The inbound endpoint returns the value to the resolver on your network.

  7. The resolver on your network returns the value to the application.

  8. Using the value that was returned by Resolver, the application submits an HTTP request, for example, a request for an object in an Amazon S3 bucket.

Creating an inbound endpoint doesn't change the behavior of Resolver, it just provides a path from a location outside the AWS network to Resolver.

How Route 53 Resolver Forwards DNS Queries from Your VPCs to Your Network

When you want to forward DNS queries from the EC2 instances in one or more VPCs in an AWS Region to your network, you perform the following steps.

  1. You create a Route 53 Resolver outbound endpoint in a VPC, and you specify several values:

    • The VPC that you want DNS queries to pass through on the way to the resolvers on your network.

    • The IP addresses on your network that you want Resolver to forward DNS queries to. To your network, these are the IP addresses that the DNS queries originate from.

    • A VPC security group

    Resolver creates an Amazon VPC elastic network interface in the VPC that you specify. For more information, see How to Choose the VPC That DNS Queries Pass Through.

  2. You create one or more rules, which specify the domain names of the DNS queries that you want Resolver to forward to resolvers on your network. You also specify the IP addresses of the resolvers. For more information, see Using Rules to Control Which Queries Are Forwarded to Your Network.

  3. You associate each rule with the VPCs for which you want to forward DNS queries to your network.

Using Rules to Control Which Queries Are Forwarded to Your Network

Rules control which DNS queries Route 53 Resolver forwards to DNS resolvers on your network and which queries Resolver answers itself.

You can categorize rules in a couple of ways. One way is by who creates the rules:

  • Autodefined rules – Resolver automatically creates autodefined rules and associates the rules with your VPCs. Most of these rules apply to the AWS-specific domain names that Resolver answers queries for. For more information, see Domain Names that Resolver Creates Autodefined Rules For.

  • Custom rules – You create custom rules and associate the rules with VPCs. Currently, you can create only one type of custom rule, conditional forwarding rules, also known as forwarding rules. Forwarding rules cause Resolver to forward DNS queries from your VPCs to the IP addresses for DNS resolvers on your network.

    If you create a forwarding rule for the same domain as an autodefined rule, Resolver forwards queries for that domain name to DNS resolvers on your network based on the settings in the forwarding rule.

Another way to categorize rules is by what they do:

  • Conditional forwarding rules – You create conditional forwarding rules (also known as forwarding rules) when you want to forward DNS queries for specified domain names to DNS resolvers on your network.

  • System rules – System rules cause Resolver to selectively override the behavior that is defined in a forwarding rule. When you create a system rule, Resolver resolves DNS queries for specified subdomains that would otherwise be resolved by DNS resolvers on your network.

    By default, forwarding rules apply to a domain name and all its subdomains. If you want to forward queries for a domain to a resolver on your network but not queries for some subdomains, you create a system rule for the subdomains. For example, if you create a forwarding rule for example.com but you don't want to forward queries for apex.example.com, you create a system rule and specify apex.example.com for the domain name.

  • Recursive rules – Resolver creates recursive rules automatically. Recursive rules cause Resolver to act as a DNS resolver for the specified domain. By default, Resolver creates one recursive rule that forwards DNS queries for all domains (with some exceptions) to public name servers. For information about how to override this behavior, see "Forwarding All Queries to Your Network" later in this topic.

You can create custom rules that apply to specific domain names (yours or most AWS domain names), to public AWS domains names, or to all domain names.

Forwarding queries for specific domain names to your network

To forward queries for a specific domain name, such as example.com, to your network, you create a rule and specify that domain name. You also specify the IP addresses of the DNS resolvers on your network that you want to forward the queries to. You then associate each rule with the VPCs for which you want to forward DNS queries to your network. For example, you can create separate rules for example.com, example.org, and example.net. Then you can associate the rules with the VPCs in an AWS Region in any combination.

Forwarding queries for amazonaws.com to your network

The domain name amazonaws.com is the public domain name for AWS resources such as EC2 instances and S3 buckets. If you want to forward queries for amazonaws.com to your network, create a rule, specify amazonaws.com for the domain name, and specify Forward for the rule type.

Note

Resolver doesn't automatically forward DNS queries for some amazonaws.com subdomains even if you create a forwarding rule for amazonaws.com. For more information, see Domain Names that Resolver Creates Autodefined Rules For. For information about how to override this behavior, see "Forwarding All Queries to Your Network," immediately following.

Forwarding all queries to your network

If you want to forward all queries to your network, you create a rule, specify "." (dot) for the domain name, and associate the rule with the VPCs for which you want to forward all DNS queries to your network. Resolver still doesn't forward all DNS queries to your network because using a DNS resolver outside of AWS would break some functionality. For example, some internal AWS domain names have internal IP address ranges that aren't accessible from outside of AWS. For a list of the domain names for which queries aren't forwarded to your network when you create a rule for ".", see Domain Names that Resolver Creates Autodefined Rules For.

If you want to try forwarding DNS queries for all domain names to your network, including the domain names that are excluded from forwarding by default, you can create a "." rule and do one of the following:

Important

If you forward all domain names to your network, including the domain names that Resolver excludes when you create a "." rule, some features might stop working.

How Resolver Determines Whether the Domain Name in a Query Matches Any Rules

Route 53 Resolver compares the domain name in the DNS query with the domain name in the rules that are associated with the VPC that the query originated from. Resolver considers the domain names to match in the following cases:

  • The domain names match exactly

  • The domain name in the query is a subdomain of the domain name in the rule

For example, if the domain name in the rule is apex.example.com, Resolver considers the following domain names in a DNS query to be a match:

  • apex.example.com

  • acme.apex.example.com

The following domain names are not a match:

  • example.com

  • nadir.example.com

If the domain name in a query matches the domain name in more than one rule (such as example.com and www.example.com), Resolver routes outbound DNS queries using the rule that contains the most specific domain name (www.example.com).

How Resolver Determines Where to Forward DNS Queries

When an application that runs on an EC2 instance in a VPC submits a DNS query, Route 53 Resolver performs the following steps:

  1. Resolver checks for domain names in rules.

    If the domain name in a query matches the domain name in a rule, Resolver forwards the query to the IP address that you specified when you created the outbound endpoint. The outbound endpoint then forwards the query to the IP addresses of resolvers on your network, which you specified when you created the rule.

    For more information, see How Resolver Determines Whether the Domain Name in a Query Matches Any Rules.

  2. Resolver forwards DNS queries based on the settings in the "." rule.

    If the domain name in a query doesn't match the domain name in any other rules, Resolver forwards the query based on the settings in the autodefined "." (dot) rule. The dot rule applies to all domain names except some AWS internal domain names and record names in private hosted zones. This rule causes Resolver to forward DNS queries to public name servers if the domain names in queries don't match any names in your custom forwarding rules. If you want to forward all queries to the DNS resolvers on your network, you can create a custom forwarding rule, specify "." for the domain name, specify Forwarding for Type, and specify the IP addresses of those resolvers.

  3. Resolver returns the response to the application that submitted the query.

Using Rules in Multiple Regions

Route 53 Resolver is a regional service, so objects that you create in one AWS Region are available only in that Region. To use the same rule in more than one Region, you must create the rule in each Region.

The AWS account that created a rule can share the rule with other AWS accounts. For more information, see Sharing Forwarding Rules with Other AWS Accounts and Using Shared Rules.

Domain Names that Resolver Creates Autodefined Rules For

Resolver automatically creates rules, known as autodefined rules, that define how queries for selected domains are resolved:

  • For EC2-specific domain names (such as compute.amazonaws.com and compute.internal), autodefined rules ensure that DNS behavior doesn't change when you configure Resolver.

  • For publicly reserved domain names (such as localhost and 10.in-addr.arpa), DNS best practices recommend that queries are answered locally instead of being forwarded to public name servers. See RFC 6303, Locally Served DNS Zones.

To override the default behavior for autodefined rules, you can create conditional forwarding rules.

Resolver creates the following autodefined rules.

Rules for private hosted zones

For each private hosted zone that you associate with a VPC, Resolver creates a rule and associates it with the VPC. If you associate the private hosted zone with multiple VPCs, Resolver associates the rule with the same VPCs.

The rule has a type of Forward.

Rules for various AWS internal domain names

All rules for the internal domain names in this section have a type of Forward. Resolver forwards DNS queries for these domain names to the authoritative name servers for the VPC.

Resolver creates the following autodefined rules and associates them with a VPC when you set the enableDnsHostnames flag for the VPC to true:

  • Region-name.compute.internal, for example, eu-west-1.compute.internal. The us-east-1 Region doesn't use this domain name.

  • Region-name.compute.amazon-domain-name, for example, eu-west-1.compute.amazonaws.com or cn-north-1.compute.amazonaws.com.cn. The us-east-1 Region doesn't use this domain name.

  • ec2.internal. Only the us-east-1 Region uses this domain name.

  • compute-1.internal. Only the us-east-1 Region uses this domain name.

  • compute-1.amazonaws.com. Only the us-east-1 Region uses this domain name.

The following autodefined rules are for the reverse DNS lookup for the rules that Resolver creates when you set the enableDnsHostnames flag to true. They're created at the same time:

  • 10.in-addr.arpa

  • 16.172.in-addr.arpa through 31.172.in-addr.arpa

  • 168.192.in-addr.arpa

  • 254.169.254.169.in-addr.arpa

The following autodefined rules, for localhost-related domains, also are created and associated with a VPC when you set the enableDnsHostnames flag for the VPC to true:

  • localhost

  • localdomain

  • 127.in-addr.arpa

  • 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa

  • 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa

Resolver creates the following autodefined rules and associates them with your VPC when you peer the VPC with another VPC:

  • The reverse DNS lookup for the peer VPC's IP address ranges, for example, 0.192.in-addr.arpa

    If you add an IPv4 CIDR block to a VPC, Resolver adds an autodefined rule for the new IP address range.

  • If the other VPC is in another Region, the following domain names:

    • Region-name.compute.internal. The us-east-1 Region doesn't use this domain name.

    • Region-name.compute.amazon-domain-name. The us-east-1 Region doesn't use this domain name.

    • ec2.internal. Only the us-east-1 Region uses this domain name.

    • compute-1.amazonaws.com. Only the us-east-1 Region uses this domain name.

A rule for all other domains

Resolver creates a "." (dot) rule that applies to all domain names that aren't specified earlier in this topic. The "." rule has a type of Recursive, which means that the rule causes Resolver to act as a recursive resolver.

How to Choose the VPC That DNS Queries Pass Through

When you create an inbound or outbound endpoint, you specify the VPC that you want DNS queries to pass through on the way either to DNS resolvers on your network (outbound) or to Route 53 Resolver (inbound). Note the following requirements and recommendations:

Inbound and outbound queries

You can use the same VPC for inbound and outbound queries, or you can use one VPC for inbound queries and another for outbound queries.

VPC peering

You can use any VPC in a Region for an inbound or an outbound endpoint regardless of whether the VPC that you choose is peered with other VPCs.

Important

If you choose a peered VPC, the following IP addresses must not overlap:

  • The CIDR range for VPCs that are peered with the VPC that you're routing DNS queries through

  • The IP addresses on your network that you're forwarding DNS queries to. You specify these IP addresses when you create Resolver rules.

Connection between your network and the VPCs that Resolver routes DNS queries through

You must set up either an AWS Direct Connect connection or a VPN connection between your network and each VPC that you create an inbound or outbound endpoint for. If you create inbound and outbound endpoints on the same VPC, you need only one connection.

For information about AWS Direct Connect, see the AWS Direct Connect User Guide.

For information about VPN connections, see VPN Connections in the Amazon VPC User Guide.