Constraints
In addition to the concepts established so far, it is important to understand some constraints that are key in shaping the rest of this whitepaper and its solutions.
Packet per second (PPS) per elastic network interface limit
Each network interface in an Amazon VPC has a hard limit of 1024
packets that it can send to the Amazon-provided DNS server every
second. Therefore, a computing resource on AWS that has a network
interface attached to it and is sending traffic to the Amazon DNS
resolver (for example, an Amazon EC2 instance or
AWS Lambda
Connection tracking
The number of simultaneous stateful connections that an Amazon EC2 security group can support by default is an extremely large value that the majority of standard TCP-based customers never encounter any issues with. In rare cases, customers with restrictive security group policies and applications that create a large number of concurrent connections, for instance a self-managed recursive DNS server, might run into issues of exhausting all simultaneous connection tracking resources. When that limit is exceeded, subsequent connections fail silently. In such cases, we recommend that you have a security group set up that you can use to disable connection tracking. To do this, set up permissive rules on both inbound and outbound connections.
Linux resolver
The default maximum number of DNS servers that you can specify in the resolv.conf configuration file of a Linux resolver is three, which means it isn’t useful to specify four DNS servers in the DHCP options set because the additional DNS server won’t be used. This limit further places an upper boundary on some of the solutions discussed in this whitepaper. It is also key to note that different operating systems can handle the assignment and failover of DNS queries differently.
