Understanding Amazon DNS
As an AWS architect or administrator, one of the foundational networking components you'll encounter is the Amazon DNS server, also known as the Route 53 Resolver. This DNS resolver service is natively integrated into each Availability Zone within your AWS Region, providing a reliable and scalable solution for domain name resolution within your Virtual Private Cloud (VPC). In this section you'll learn about the Amazon DNS server's IP addresses, the private DNS hostnames it can resolve, and the rules that govern its usage.
Contents
Amazon DNS server
The Route 53 Resolver (also called "Amazon DNS server" or "AmazonProvidedDNS") is a DNS
Resolver service which is built into each Availability Zone in an AWS Region. The Route 53
Resolver is located at 169.254.169.253
(IPv4), fd00:ec2::253
(IPv6),
and at the primary private IPV4 CIDR range provisioned to your VPC plus two. For example, if
you have a VPC with an IPv4 CIDR of 10.0.0.0/16
and an IPv6 CIDR of
2001:db8::/32
, you can reach the Route 53 Resolver at
169.254.169.253
(IPv4), fd00:ec2::253
(IPv6), or
10.0.0.2
(IPv4). Resources within a VPC use a link local
address for DNS queries. These queries are transported to the Route 53 Resolver
privately and are not visible on the network. In an IPv6-only subnet, the IPv4 link-local address (169.254.169.253) is still reachable as long as "AmazonProvidedDNS" is the name server in the DHCP option set.
When you launch an instance into a VPC, we provide the instance with a private DNS hostname. We also provide a public DNS hostname if the instance is configured with a public IPv4 address and the VPC DNS attributes are enabled.
The format of the private DNS hostname depends on how you configure the EC2 instance when you launch it. For more information on the types of private DNS hostnames, see EC2 instance naming.
The Amazon DNS server in your VPC is used to resolve the DNS domain names that you specify in a private hosted zone in Route 53. For more information about private hosted zones, see Working with private hosted zones in the Amazon Route 53 Developer Guide.
Rules and considerations
When using the Amazon DNS server, the following rules and considerations apply.
-
You cannot filter traffic to or from the Amazon DNS server using network ACLs or security groups.
-
Services that use the Hadoop framework, such as Amazon EMR, require instances to resolve their own fully qualified domain names (FQDN). In such cases, DNS resolution can fail if the
domain-name-servers
option is set to a custom value. To ensure proper DNS resolution, consider adding a conditional forwarder on your DNS server to forward queries for the domain
to the Amazon DNS server. For more information, see Setting up a VPC to host clusters in the Amazon EMR Management Guide.region-name
.compute.internal -
The Amazon Route 53 Resolver only supports recursive DNS queries.
DNS hostnames
When you launch an instance, it always receives a private IPv4 address and a private DNS hostname that corresponds to its private IPv4 address. If your instance has a public IPv4 address, the DNS attributes for its VPC determines whether it receives a public DNS hostname that corresponds to the public IPv4 address. For more information, see DNS attributes in your VPC.
With the Amazon provided DNS server enabled, DNS hostnames are assigned and resolved as follows.
Private IP DNS name (IPv4 only)
You can use the Private IP DNS name (IPv4 only) hostname for communication between instances in the same VPC. You can resolve the Private IP DNS name (IPv4 only) hostnames of other instances in other VPCs as long as the instances are in the same AWS Region and the hostname of the other instance is in the private address space range defined by RFC 191810.0.0.0 - 10.255.255.255 (10/8 prefix)
, 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
, and 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
.
Private resource DNS name
The RBN-based DNS name that can resolve to the A and AAAA DNS records selected for this instance. This DNS hostname is visible in the instance details for instances in dual-stack and IPv6-only subnets. For more information about RBN, see EC2 instance hostname types.
Public IPv4 DNS
A public (external) IPv4 DNS hostname takes the form
ec2-
for the public-ipv4-address
.compute-1.amazonaws.comus-east-1
Region, and
ec2-
for other Regions. The Amazon DNS server resolves a public DNS hostname to the public IPv4
address of the instance outside the network of the instance, and to the private IPv4 address
of the instance from within the network of the instance. For more information, see Public IPv4
addresses and external DNS hostnames in the
Amazon EC2 User Guide.public-ipv4-address
.region
.compute.amazonaws.com
DNS attributes in your VPC
The following VPC attributes determine the DNS support provided for your VPC. If both attributes are enabled, an instance launched into the VPC receives a public DNS hostname if it is assigned a public IPv4 address or an Elastic IP address at creation. If you enable both attributes for a VPC that didn't previously have them both enabled, instances that were already launched into that VPC receive public DNS hostnames if they have a public IPv4 address or an Elastic IP address.
To check whether these attributes are enabled for your VPC, see View and update DNS attributes for your VPC.
Attribute | Description |
---|---|
enableDnsHostnames |
Determines whether the VPC supports assigning public DNS hostnames to instances with public IP addresses. The default for this attribute is |
enableDnsSupport |
Determines whether the VPC supports DNS resolution through the Amazon provided DNS server. If this attribute is The default for this attribute is |
Rules and considerations
-
If both attributes are set to
true
, the following occurs:-
Instances with public IP addresses receive corresponding public DNS hostnames.
-
The Amazon Route 53 Resolver server can resolve Amazon-provided private DNS hostnames.
-
-
If at least one of the attributes is set to
false
, the following occurs:-
Instances with public IP addresses do not receive corresponding public DNS hostnames.
-
The Amazon Route 53 Resolver cannot resolve Amazon-provided private DNS hostnames.
-
Instances receive custom private DNS hostnames if there is a custom domain name in the DHCP options set. If you are not using the Amazon Route 53 Resolver server, your custom domain name servers must resolve the hostname as appropriate.
-
-
If you use custom DNS domain names defined in a private hosted zone in Amazon Route 53, or use private DNS with interface VPC endpoints (AWS PrivateLink), you must set both the
enableDnsHostnames
andenableDnsSupport
attributes totrue
. -
The Amazon Route 53 Resolver can resolve private DNS hostnames to private IPv4 addresses for all address spaces, including where the IPv4 address range of your VPC falls outside of the private IPv4 addresses ranges specified by RFC 1918
. However, if you created your VPC before October 2016, the Amazon Route 53 Resolver does not resolve private DNS hostnames if your VPC's IPv4 address range falls outside of these ranges. To enable support for this, contact AWS Support . -
If you use VPC peering, you must enable both attributes for both VPCs, and you must enable DNS resolution for the peering connection. For more information, see Enable DNS resolution for a VPC peering connection.
DNS quotas
There is a 1024 packet per second (PPS) limit to services that use link-local addresses. This limit includes the aggregate of Route 53 Resolver DNS queries,
Instance Metadata Service (IMDS) requests, Amazon Time Service Network Time
Protocol (NTP) requests, and Windows Licensing Service (for Microsoft Windows based
instances)
The number of DNS queries per second supported by Route 53 Resolver varies by the type of query,
the size of the response, and the protocol in use. For more information and recommendations
for a scalable DNS architecture, see the AWS
Hybrid DNS with Active Directory
If you reach the quota, the Route 53 Resolver rejects traffic. Some of the causes for reaching
the quota might be a DNS throttling issue, or instance metadata queries that use the
Route 53 Resolver network interface. For information about how to solve VPC DNS
throttling issues, see How can I determine whether my DNS queries to the Amazon provided DNS server are failing due
to VPC DNS throttling
Private hosted zones
To access the resources in your VPC using custom DNS domain names, such as example.com
,
instead of using private IPv4 addresses or AWS-provided private DNS
hostnames, you can create a private hosted zone in Route 53. A private hosted zone is a
container that holds information about how you want to route traffic for a domain and
its subdomains within one or more VPCs without exposing your resources to the internet.
You can then create Route 53 resource record sets, which determine how Route 53 responds to
queries for your domain and subdomains. For example, if you want browser requests for
example.com to be routed to a web server in your VPC, you'll create an A record in your
private hosted zone and specify the IP address of that web server. For more information
about creating a private hosted zone, see Working with private hosted
zones in the Amazon Route 53 Developer Guide.
To access resources using custom DNS domain names, you must be connected to an instance
within your VPC. From your instance, you can test that your resource in your private hosted
zone is accessible from its custom DNS name by using the ping
command; for
example, ping mywebserver.example.com
. (You must ensure that your instance's
security group rules allow inbound ICMP traffic for the ping
command to
work.)
Private hosted zones do not support transitive relationships outside of the VPC; for example, you cannot access your resources using their custom private DNS names from the other side of a VPN connection.
Important
If you use custom DNS domain names defined in a private hosted zone in Amazon Route 53,
you must set both the enableDnsHostnames
and enableDnsSupport
attributes to true
.