3

I'm going crazy because this should be easy especially when following the Amazon documentation. I've been using this reference from Amazon.

Just trying to change the DNS servers that an AWS EC2 instance uses to resolve domain names. Edited the /etc/sysconfig/network-scripts/ifcfg-eth0, set PEERDNS=no, added DNS1=10.0.0.11, saved, rebooted, no dice: Still see the 10.0.0.2 nameserver in /etc/resolve.conf, testing a ping to an internal server's FQDN (server.mycorp.company.com) fails as it requires our internal DNS server to resolve the name. If I manually edit resolv.conf and change the nameserver line to reflect our DNS server 10.0.0.11, the pings work.

Server is running the latest Amazon Linux AMI as far as I can tell, 2017.03. Complete /etc/sysconfig/networking-scripts/ifcfg-eth0:

DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
TYPE=Ethernet
USERCTL=yes
PEERDNS=no
DHCPV6C=yes
DHCPV6C_OPTIONS=-nw
PERSISTENT_DHCLIENT=yes
RES_OPTIONS="timeout:2 attempts:5"
DHCP_ARP_CHECK=no
DNS1=10.0.0.11

* the IP addresses have been changed to protect the innocent

nobodynew
  • 33
  • 1
  • 5

3 Answers3

4

I believe that AWS doc is not correct. Setting in /etc/sysconfig/networking-scripts/ifcfg-eth0 PEERDNS=no will prevent any update to be reflected to the resolv.conf file. You have thus 2 options:

  1. Leave PEERDNS=yes and add DNS1=, DNS2=...
  2. Set PEERDNS=no and change nameserver directly in resolv.conf

Tested with Linux AMI 2017.03

Roberto
  • 156
  • 3
2

For future readers of this question, note that the AWS article in the question has been superseded by different instructions.

Instead of editing the specific network interface configuration, these suggest changing the DHCP client configuration to ignore the DHCP-provided DNS server.

  1. Edit /etc/dhcp/dhclient.conf
  2. Add a line of the form supersede domain-name-servers a.b.c.d, e.f.g.h; (where a.b.c.d and e.f.g.h are the IP addresses of one or more DNS servers).

This will normally take effect on the next system boot, but you can force it to be read immediately by restarting the network interface:

# RedHat based systems (e.g. RHEL, Fedora, CentOS, Amazon Linux)
/etc/init.d/network restart
# Debian based systems (e.g. Debian, Ubuntu)
/etc/init.d/networking restart
IMSoP
  • 480
  • 2
  • 10
1

I think the problem here is you're trying to have EC2 use a DNS server outside the VPC. I don't think that's possible. Are you using a VPN, or just relying on Internet connectivity?

AWS have posted a way to achieve this using the Unbound DNS resolver here. It's too large to copy here, but it basically acts as a forwarder.

Tim
  • 30,383
  • 6
  • 47
  • 77
  • I should have used a 10.0.0.0/8 address for the DNS server example. It is in the same VPC. Will edit now. However, their documentation does not list a limitation that the DNS server needs to be in the same VPC and the reference document from Amazon I quoted uses DNS servers outside of the VPC, so would doubt that would be a limitation. In either case, the DNS server is inside the same VPC as the EC2 instance which I want to be using static DNS. – nobodynew May 10 '17 at 20:40
  • Not sure if this is helpful, but what i do with my EC2 instances is i add the domain in the search in resolv.conf. IE: search foo.org – ryekayo May 10 '17 at 20:43
  • 1
    The DNS server does not need to be inside the VPC -- ir only needs to be reachable... but the correct place to configure it is in DHCP for the VPC. – Michael - sqlbot May 10 '17 at 23:52
  • @Michael-sqlbot this is looking like the right direction here, but I assume I cannot have different DHCP options sets for subnets in the same VPC? Please post as an answer since this is the most correct so far and I can give credit :). – nobodynew May 11 '17 at 00:05
  • I can do that, but you're correct that you can't have more than one DHCP option set activate in a single VPC. If you need that kind of flexibility, you might take a look at [this](https://unix.stackexchange.com/q/273565/24251), which may be even more correct/useful, in this case. It's not Amazon Linux but may be the mechanism that's thwarting your efforts. – Michael - sqlbot May 11 '17 at 00:17
  • @Michael-sqlbot Yes, that makes sense: force a static resolv.conf would fit the requirements. – nobodynew May 11 '17 at 00:22