I seem to be having an issue with DNS setup with split horizon/views in R53. We want to be able to get a copy of the internal zone from R53 from my local FreeIPA servers. Is this possible? I have zone forwards setup in FreeIPA so that if you are up in AWS VPC you can query R53. However I can't do that form my local office. We are trying to figure out how to get a copy of the internal zone down to my local FreeIPA servers. From what I have read this is NOT possible since I can't recursively talk to R53.
Asked
Active
Viewed 678 times
1 Answers
0
It is, of course "possible," to resolve private hosted zones from outside the VPC... but not with zone transfers, since Route 53 does not support zone transfers. For this to work, you need to be able to query the VPC's built-in resolver. This can only be done by using a configuration wirh a source IP address that is within the VPC -- the queries have to come from an instance.
The configuration of your on-prem servers would be almost no different than your inside-AWS servers, as far as recursive queries, but the target IP address that they recursively query would need to be an instance inside the VPC that hosts a DNS proxy that sends those queries to the VPC resolver on their behalf.
Assuming you already have a VPN between your premise and the VPC, this traffic rides the VPN to get to the DNS proxy instance. If no VPN, then this proxy instance could also host OpenVPN to terminate a tunnel from your premise for the queries.
In either event, a pair of t2.nano instances ($5/mo) in two availability zones should be more than adequate for such a workload.
There are also several "firewall" AMIs in the AWS Marketplace that support DNS forward proxying, if you didn't want to roll your own instances to handle the task.
I'm not specifically familiar with FreeIPA, but... thinking about what you say you are already doing... it seems like you might even be able to configure your on-prem servers to forward their queries to the FreeIPA servers inside the VPC, which should then recursively query the records exactly the same way they do for other clients within the VPC... so no additional instance would be needed.
Michael - sqlbot
- 21,988
- 1
- 57
- 81
-
So currently I have zone forwarders in at the FreeIPA level for all my zones. The forwarders points to the AWS VPC resolver for that subnet. So my clients at my local office are NOT resolving the correct information when querying the local name-server. They attempt to go to the VPC subnet resolver and communication dies. My only option that I can see is to explicitly put forwarder entries in /etc/named.conf in my local FreeIPA instances. – Andrew M Apr 08 '18 at 20:32
-
You can't use the VPC DNS resolver *directly* from outside the VPC... but you can query a resolver of your own that is inside the VPC. – Michael - sqlbot Apr 08 '18 at 21:46