Resolve Route 53 Private Hosted Zones from an On-premises Network

Route 53 Private Hosted Zones

Amazon Route 53 DNS service supports Public Hosted Zones and Private Hosted Zones. Private Hosted Zones are useful when you want to use your private domain and have Route 53 respond to queries on that domain from resources within your VPC. 

For example, if you host a database on an EC2 instance on a private subnet, you can create a Route 53 record set (ex: for that database instance on your Private Hosted Zone to allow other EC2 instances to resolve the domain name. 

But what if you have a VPN connection (or AWS Direct Connect to Amazon VPC connection), and you want your on-premises servers to resolve the DNS record you have on the private hosted zone? The DNS resolver only replies to queries from resources within your associated VPC so you will need a different approach for this scenario.

In this post, we’ll show you how to set up an Ubuntu EC2 instance as a DNS forwarder that will allow your on-premise servers to resolve domain names in your Private Hosted zones.

The setup overview

Resolve Route 53 Private Hosted Zones from an On-premises Network

In this setup, you will use a new Ubuntu EC2 instance that will accept DNS queries from your on-premises servers, and then forward them to Amazon Route 53. The reply will be sent back to the on-premises server to effectively resolve domain names in the private hosted zone. 

You should have an entry on your private hosted zone for your domain, ex: pointed to EC2 instance, as shown in the diagram below.

Resolve Route 53 Private Hosted Zones from an On-premises Network

Configure your DNS forwarder

Before you proceed, you need to ensure that DNS resolution and DNS Hostnames are enabled on the target VPC. Refer to this link on how to do that on your custom VPC. 

** The default VPC and VPCs created from the VPC wizard in the AWS Console have them enabled by default, so you don’t need extra effort for that.

Tutorials dojo strip

1. Create a new Ubuntu EC2 instance on the same VPC where you have the MySQL EC2 instance. Let’s assume that the IP address is 

2. Update the security group of the new EC2 instance to allow inbound port 53 and protocol TCP & UDP, where the source is your on-premises network IP. 

3. SSH to your newly created EC2 instance. Refer to this link on how to SSH.

4. Once logged in, you can check the current DNS resolver used by the instance with the following command:

   $ cat /etc/resolv.conf

 Sample output:
  # Generated by NetworkManager
   search ap-southeast-1.compute.internal

5. To receive DNS queries, the BIND DNS server needs to be installed. To install the package to                       your instance, use this command:

  $ sudo apt install bind9 bind9utils -y 

6. Next, configure the BIND server to be a forwarder by modifying the contents of the /etc/bind/named.conf.options file.

  $ sudo nano /etc/bind/named.conf.options

 7. Inside the file, before the “options” section, create an access control list (ACL) for the BIND server of the IP addresses that you trust i.e. the IP block of the on-premises network for this example. Follow the syntax of the bind config file, with semicolon on every statement.

acl “trusted” {;
options {
        directory "/var/cache/bind";
       dnssec-validation auto;
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };

8. Inside the “options” section, configure BIND to forward all DNS requests to the Amazon VPC name server. The nameserver is always the second available IP address in your VPC CIDR block. In this example, it is as we confirmed in Step 4. Add this IP as forwarders, as shown below: 

       options {
                  directory "/var/cache/bind";
                  dnssec-validation auto;

                  auth-nxdomain no;    # conform to RFC1035
                  listen-on-v6 { any; };
                  forwarders {; };

9. Next, add “forward only” entries then add the “trusted” ACL on the “allow-query” list and “allow-recursion” list to limit permitted hosts to query the BIND Server. Also set “dnssec-validation” to “no” since Route53 does not support DNSSEC at this time. Your config file should look like this:

          acl “trusted” {     

            options {
                          directory "/var/cache/bind";
                          dnssec-validation no;

                          auth-nxdomain no;    # conform to RFC1035
                          listen-on-v6 { any; };
             forward only;
             allow-query { trusted };
             allow-recursion { trusted};

10. Save and exit the file. Test the syntax of the BIND config file with the following command 

  $ sudo named-checkconf /etc/bind/named.conf.options

11. No output means that the syntax is correct. Finally, you can restart the BIND process to apply the changes:

  $ sudo service bind9 restart

After setting up the BIND server on your new Ubuntu instance, you have to configure your on-premises servers to use this as their DNS server to resolve the domains in the hosted private zone. 

Update DNS Setting of your on-premises servers

Changing the DNS server on your on-premises servers depends on the operating system. 

On Linux servers, you can edit the /etc/resolv.conf file (like the one on Step 4) and change the nameserver entry. 

  $ cat /etc/resovl.conf
  # Generated by NetworkManager
  search company.internal

On Windows-based servers, you can edit the DNS on the Network Connections Setting. Example:

Resolve Route 53 Private Hosted Zones from an On-premises Network

Test DNS resolution 
To test DNS resolution, login to your on-premises Linux server and use the dig command.

  $ dig

Sample output (truncated, only showing the answer section):

AWS Exam Readiness Courses


Note: If you are studying for the AWS Certified Advanced Networking Specialty exam, we highly recommend that you take our AWS Certified Advanced Networking – Specialty Practice Exams and read our Advanced Networking Specialty exam study guide.

AWS Certified Advanced Networking Specialty Practice Exams


This article is authored by: Kenneth Samonte, our resident AWS whiz/contributor.

Tutorials Dojo portal

FREE AWS Exam Readiness Digital Courses

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?