1

We have a DNS server outside of AWS, inside we have route53 with some private hosted zones. I want cnames on the private hosted zones to be available internally (when you access them inside the office).

Due to my limited experience with DNS, I'm not sure what's the best way to go on about this. I have looked at unbound but not sure if it's the right tool. Do I need to forward my requests to the main DNS server when a private hosted zone is requested?

DorianT
  • 11
  • 1
  • 4
  • Perhaps: http://aws.amazon.com/directconnect/ – hjpotter92 Oct 05 '16 at 16:49
  • @hjpotter92 that's one way among several to connect into the VPC, but private hosted zone data is only queryable from EC2 instances, using the VPC resolver. A DNS proxy inside EC2 is almost certainly going to be needed. – Michael - sqlbot Oct 05 '16 at 17:25
  • @Michael-sqlbot I know that I can resolve the cnames from within AWS. So I was thinking of setting up a DNS proxy/relay inside EC2 (or a docker container in ECS) using unbound. But not so sure of the configurations. – DorianT Oct 05 '16 at 18:09
  • I don't know that `unbound` is the right tool -- it appears to be a recursive resolver that queries the root servers. That isn't what you want. You need a DNS proxy that will forward your queries to the resolver that AWS automatically provides on the .2 address of the first subnet in your VPC CIDR block (e.g. 172.31.0.2 -- check /etc/resolv.conf on one of your instances to find it. The value will be the same for all machines in the VPC ). I have a config file for `dnsproxy` (included with Ubuntu) if that would be useful. – Michael - sqlbot Oct 05 '16 at 18:34
  • @Michael-sqlbot : I was just reading the docs, amazon suggests "If you have integrated your on-premises network with one or more Amazon VPC virtual networks and you want your on-premises network to resolve domain names in private hosted zones, you can create a Simple AD directory. Simple AD provides IP addresses that you can use to submit DNS queries from your on-premises network to your private hosted zone. For more information, see Getting Started with Simple AD in the AWS Directory Service Administration Guide." sounds a bit too complicated. – DorianT Oct 05 '16 at 19:52

3 Answers3

0

You will need to:

  • Setup IPsec VPN to connect between AWS and office, and
  • Setup Dnsmasq in both AWS and office sites to proxy your DNS requests.

The most important option of Dnsmasq in ths case is --domain=, to specify DNS domains to forward. You can use this option to pass DNS requests to your private Route53 domain (office clients -> Dnsmasq/Unbound in office -> Dnsmasq in AWS -> Route53).

Bhargav Amin
  • 113
  • 1
  • 6
Gea-Suan Lin
  • 636
  • 4
  • 6
0

Unbound was the answer.

Have unbound on an EC2 instance, in the forward section of your unbound config file have your bob.whatever.com zone and point it to your VPC's DNS 10.0.0.2.

Test it by dig @<EC2IP> bob.whatever.com

All you'd need to do is to have a forwarder on you on-premise DNS server.

DorianT
  • 11
  • 1
  • 4
0

What you want is described in this AWS blog post: https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-by-using-unbound/

Karel
  • 56
  • 3