6.2.1. Route 53 Resolver and Hybrid DNS
š” First Principle: DNS resolution is foundational for hybrid architectures. When an EC2 instance in a VPC needs to resolve an on-premises hostname (like db.corp.internal), or when an on-premises server needs to resolve an AWS private hostname (like database.prod.internal), those queries need to reach the right DNS server. Route 53 Resolver provides the infrastructure to make this work bi-directionally.
Route 53 Resolver ā Default Behavior:
Every VPC gets a Route 53 Resolver at the VPC CIDR base + 2 address (e.g., 10.0.0.2 for a 10.0.0.0/16 VPC). It resolves:
- Public DNS names (via public DNS)
- Private hosted zones associated with the VPC
- AWS-internal names (e.g.,
ec2.internalfor EC2 instance hostnames)
Hybrid DNS Resolution:
| Scenario | Solution |
|---|---|
| EC2 ā resolve on-premises hostnames | Outbound endpoint + forwarding rule to on-premises DNS server |
| On-premises ā resolve AWS private hostnames | Inbound endpoint + on-premises DNS conditional forwarder pointing to inbound endpoint IPs |
Outbound Endpoint: Route 53 Resolver creates ENIs in specified subnets. When a query matches a forwarding rule, the resolver forwards it to the specified IP (your on-premises DNS server) via the outbound endpoint ENI.
Inbound Endpoint: Route 53 Resolver creates ENIs in specified subnets with stable IP addresses. On-premises DNS servers forward queries for AWS private zones to these IPs. The resolver answers from private hosted zone records.
Route 53 Resolver DNS Firewall: Inspects all outbound DNS queries from the VPC and blocks those matching configured domain lists. Use to prevent:
- Data exfiltration via DNS tunneling
- Malware communicating with C2 servers via DNS
- Access to unapproved external services
ā ļø Exam Trap: Inbound and outbound resolver endpoints are separate resources ā creating an inbound endpoint doesn't automatically enable outbound forwarding, and vice versa. For full bidirectional hybrid DNS, you need both. Also, each endpoint requires ENIs in at least two AZs for high availability.
Reflection Question: An on-premises application server needs to resolve the private DNS name of an RDS instance in a VPC (mydb.cluster-xxx.us-east-1.rds.amazonaws.com). The VPC uses a private hosted zone. What Route 53 Resolver resource enables this resolution from on-premises?
