Resolve Route 53 Private Hosted Zones from an On-premises Network

Route 53 Private Hosted Zones

Amazon Route 53 DNS service supports Public Hosted Zones and Private Hosted Zones. Private Hosted Zones are useful when you want to use your private domain and have Route 53 respond to queries on that domain from resources within your VPC. 

For example, if you host a database on an EC2 instance on a private subnet, you can create a Route 53 record set (ex: for that database instance on your Private Hosted Zone to allow other EC2 instances to resolve the domain name. 

IT Certification Category (English)728x90

But what if you have a VPN connection (or AWS Direct Connect to Amazon VPC connection), and you want your on-premises servers to resolve the DNS record you have on the private hosted zone? The DNS resolver only replies to queries from resources within your associated VPC so you will need a different approach for this scenario.

In this post, we’ll show you how to set up an Ubuntu EC2 instance as a DNS forwarder that will allow your on-premise servers to resolve domain names in your Private Hosted zones.

The setup overview

Resolve Route 53 Private Hosted Zones from an On-premises Network

In this setup, you will use a new Ubuntu EC2 instance that will accept DNS queries from your on-premises servers, and then forward them to Amazon Route 53. The reply will be sent back to the on-premises server to effectively resolve domain names in the private hosted zone. 

You should have an entry on your private hosted zone for your domain, ex: pointed to EC2 instance, as shown in the diagram below.

Resolve Route 53 Private Hosted Zones from an On-premises Network

Configure your DNS forwarder

Before you proceed, you need to ensure that DNS resolution and DNS Hostnames are enabled on the target VPC. Refer to this link on how to do that on your custom VPC. 

** The default VPC and VPCs created from the VPC wizard in the AWS Console have them enabled by default, so you don’t need extra effort for that.

1. Create a new Ubuntu EC2 instance on the same VPC where you have the MySQL EC2 instance. Let’s assume that the IP address is 

2. Update the security group of the new EC2 instance to allow inbound port 53 and protocol TCP & UDP, where the source is your on-premises network IP. 

3. SSH to your newly created EC2 instance. Refer to this link on how to SSH.

4. Once logged in, you can check the current DNS resolver used by the instance with the following command:

   $ cat /etc/resolv.conf

 Sample output:
  # Generated by NetworkManager
   search ap-southeast-1.compute.internal

5. To receive DNS queries, the BIND DNS server needs to be installed. To install the package to                       your instance, use this command:

  $ sudo apt install bind9 bind9utils -y 

6. Next, configure the BIND server to be a forwarder by modifying the contents of the /etc/bind/named.conf.options file.

  $ sudo nano /etc/bind/named.conf.options

 7. Inside the file, before the “options” section, create an access control list (ACL) for the BIND server of the IP addresses that you trust i.e. the IP block of the on-premises network for this example. Follow the syntax of the bind config file, with semicolon on every statement.

acl “trusted” {;
options {
        directory "/var/cache/bind";
       dnssec-validation auto;
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };

8. Inside the “options” section, configure BIND to forward all DNS requests to the Amazon VPC name server. The nameserver is always the second available IP address in your VPC CIDR block. In this example, it is as we confirmed in Step 4. Add this IP as forwarders, as shown below: 

       options {
                  directory "/var/cache/bind";
                  dnssec-validation auto;

                  auth-nxdomain no;    # conform to RFC1035
                  listen-on-v6 { any; };
                  forwarders {; };

9. Next, add “forward only” entries then add the “trusted” ACL on the “allow-query” list and “allow-recursion” list to limit permitted hosts to query the BIND Server. Also set “dnssec-validation” to “no” since Route53 does not support DNSSEC at this time. Your config file should look like this:

          acl “trusted” {     

            options {
                          directory "/var/cache/bind";
                          dnssec-validation no;

                          auth-nxdomain no;    # conform to RFC1035
                          listen-on-v6 { any; };
             forward only;
             allow-query { trusted };
             allow-recursion { trusted};

10. Save and exit the file. Test the syntax of the BIND config file with the following command 

  $ sudo named-checkconf /etc/bind/named.conf.options

11. No output means that the syntax is correct. Finally, you can restart the BIND process to apply the changes:

  $ sudo service bind9 restart

After setting up the BIND server on your new Ubuntu instance, you have to configure your on-premises servers to use this as their DNS server to resolve the domains in the hosted private zone. 

Update DNS Setting of your on-premises servers

Changing the DNS server on your on-premises servers depends on the operating system. 

On Linux servers, you can edit the /etc/resolv.conf file (like the one on Step 4) and change the nameserver entry. 

  $ cat /etc/resovl.conf
  # Generated by NetworkManager
  search company.internal

On Windows-based servers, you can edit the DNS on the Network Connections Setting. Example:

Resolve Route 53 Private Hosted Zones from an On-premises Network

Test DNS resolution 
To test DNS resolution, login to your on-premises Linux server and use the dig command.

  $ dig

Sample output (truncated, only showing the answer section):



This article is authored by: Kenneth Samonte, our resident AWS whiz/contributor.


AWS Certifications are consistently among the top paying IT certifications in the world, considering that Amazon Web Services is the leading cloud services platform with almost 50% market share! Earn over $150,000 per year with an AWS certification!

Subscribe to our newsletter and notifications for more helpful AWS cheat sheets and study guides like this and answer as many AWS practice exams as you can.🙂

Pass your AWS Certifications on your First Try with the Tutorials Dojo Portal

Tutorials Dojo portal

Our Bestselling AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate Practice Exams

Enroll Now – Our AWS Practice Exams with 95% Passing Rate

AWS Practice Exams Tutorials Dojo

Tutorials Dojo Study Guide and Cheat Sheets eBooks

Tutorials Dojo Study Guide and Cheat Sheets-2

FREE AWS eBook for Beginners

AWS eBook Tutorials Dojo

FREE AWS Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts