I am attempting to configure local bind DNS server to resolve a domain via AWS Route 53.

So far, I have created a Hosted zone within Route 53, for which I've got the nameservers:


Now comes the tricky part. On my local machine, I have installed bind and created a zone file which should forward it to AWS, but it doesn't.

(disclaimer, I have replaced real domain name with ha-test.com)

; BIND data file for ha-test.com
$TTL    604800
@   IN  SOA  ha-test.com. root.ha-test.com. (
                 10     ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL

;ha-test.com.   IN    A

ha-test.com.    IN    NS    ns-1474.awsdns-56.org.
ha-test.com.    IN    NS    ns-189.awsdns-23.com.
ha-test.com.    IN    NS    ns-2002.awsdns-58.co.uk.
ha-test.com.    IN    NS    ns-892.awsdns-47.net.

If I uncomment the A, it does resolve the domain to the IP, but otherwise, it does not work.

I was hoping that setting NS to those above, would be enough for bind to forward to DNS, but obviously, I was wrong.

This is the output of dig:

dig @ ha-test.com

; <<>> DiG 9.16.1-Ubuntu <<>> @ ha-test.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60486
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 99e2f6f74458640b01000000600eed92f545a3c7ada5b428 (good)
;ha-test.com.   IN  A

ha-test.com. 604800 IN  SOA ha-test.com. root.ha-test.com. 10 604800 86400 2419200 604800

;; Query time: 0 msec
;; WHEN: пон јан 25 17:10:58 CET 2021
;; MSG SIZE  rcvd: 121

If I do

dig @ns-1474.awsdns-56.org ha-test.com

It resolves properly.


Managed to solve it, but I am unsure whether that is the right way to do it:

In named.conf.local, I had a zone like this:

zone "ha-test.com" IN {
  type master;
  file "/etc/bind/zones/ha-test.com";

After replacing it to become a forwarding zone:

zone "ha-test.com" {
 type forward;
 forwarders {; };

The IP above is the IP I've got from ns-1474.awsdns-56.org. I could put multiple IPs from all NS but it seems a bit off. Doesn't it?

Jovan Perovic
  • 123
  • 1
  • 3
  • 13
  • Have you tried using ''@' instead of the domain name, before the 'IN NS'? I've only used the syntax you're using, when routing subdomains, I know in theory, you should be able to NS the full domain, but that's not typically done, the way you're specifying it. What you probably want is this: https://unix.stackexchange.com/questions/22552/how-to-let-named-bind9-forward-certain-domains-to-a-different-nameserver – KHobbits Jan 31 '21 at 13:47
  • Yes, I tried that as well, but with the same result :-/ – Jovan Perovic Jan 31 '21 at 14:09
  • Hey, @KHobbits, I have updated the question with a possible solution, can you please take a look at it? – Jovan Perovic Jan 31 '21 at 20:59

1 Answers1


By looking at the snippets I would assume that you have configured a private hosted zone (you have a private IP for the server you try to resolve) and you already have some network connectivity between your local bind and AWS (VPN or Direct Connect).

Basically, you are on the right track after your update. You need to configure BIND to act as a forwarder for the hosted zone in question. If the hosted zone is associated with your VPC in which the server resides, and if you have a proper connectivity you can forward directly to the VPC DNS server, it's address is usually the second IP of the VPC CIDR range (e.g.

In this case you are forwarding your requests directly to AWS.

A slightly different version of the same would which was pretty common for a while is to have an EC2 instance running in the same VPC which acts as a forwarder to Route53 and then on your local machines configure the IP of the EC2 instance to be your DNS server, which in practice is the same thing you did, with the difference that BIND is running on EC2 instance within the VPC.

Nowadays the AWS recommended approach is to use the so called Route 53 Resolver with an Inbound Endpoint. Same prerequisites described above should be met - you need to have internet connectivity between on-prem and AWS, and your VPC should be associated with your hosted zone. The difference here is that instead of having to run a dedicated EC2 instance which you need to secure and administer you now have an AWS service doing that for you. In addition to that you gain some resilience and HA, as you can set up the Route53 Resolver in multiple subnets (AZs). On top of that you can create an outbound Endpoint too, which will give you the possibility to forward requests from AWS to on-prem DNS servers, and thus resolve DNS queries the other way around). You can read more about Route53 Resolver in the docs.

  • 341
  • 1
  • 4