In the previous blog post, we talked about Split-view DNS using Amazon Route 53, in which the DNS server gives out a different response to the same DNS query based on where the query came from. This is helpful if you are in a hybrid environment when you want an internal application to resolve a domain from a private hosted zone and external applications to resolve from a public hosted zone in Route 53.

In hybrid environments, configuring Amazon Route 53 hosted zones can be tricky. Your VPC and on-premises resources may need to resolve DNS names hosted on the on-premises data center. Accordingly, the on-premises resources may also need to resolve DNS records hosted on AWS.

In this blog post, we’ll explore Amazon Route 53 Resolver, which is a feature that allows users to resolve DNS records between their on-premises resources and VPCs to create a hybrid cloud setup over VPN or Direct Connect (DX).

Before we configure our Amazon Route 53 Resolvers, it is important to remember the following concepts:

• Inbound Resolver endpoint – Allows the DNS server from the on-premises network to resolve domain names from AWS resources such as EC2 instances or records in a Route 53 private hosted zone.
• Outbound Resolver endpoint – Allows the DNS queries from your AWS VPC to be forwarded to your on-premises DNS server or to a resolver on another AWS VPC.
• Resolver rules – Forwarding rules that you create for each domain that you want forward DNS queries from your VPC to an on-premises DNS resolver. You can also set rules for the domain queries from your on-premises DNS resolver to your VPC.

The Route 53 Resolver uses the resolver to rules for each domain to forward the query to a specific IP address of the DNS resolver you want to use.

Whether you create an inbound endpoint or an outbound endpoint, you need to specify the specific IP addresses that you want your DNS resolvers to forward DNS queries. These are private IP addresses from your VPC IP range so you will need to connect to your VPC using a Direct Connect connection or a VPN connection.

A Route 53 Resolver automatically answers DNS queries for:

• Internal VPC domain names for Amazon EC2 instances (for example, ec2-172-16-2-44.compute-1.amazonaws.com).
• Amazon Route 53 records in private hosted zones (for example, private.tutorialsdojo.com).
• Public domain names are recursively looked up against public name servers on the internet.

See the below diagram as an example of a simplified hybrid network scenario that uses both inbound and outbound resolvers:

The above diagram illustrates the following steps for the Inbound resolver (arrows in blue):

1. The client from the on-premises network needs to resolve domain private.tutorialsdojo.com, which is inside the VPC. The client sends the DNS query to the on-premises DNS resolver.
2. The on-premises resolver uses the VPN connection to forward the query to the Inbound endpoint.
3. The Inbound endpoint receives the request and forwards it to the VPC+2, which is connected to the Route 53 Resolver
4. The VPC+2 receives the request and forwards it to the Route 53 Resolver to get an answer.
5. The DNS Resolves the DNS query and returns the answer on the same to the client.

The above diagram illustrates the following steps for the Outbound resolver (arrows in green):

1. A resource from the VPC, such as an EC2 instance, needs to resolve the domain internal.tutorialsdojo.com, which has an authoritative DNS server inside the on-premises data center. The query is sent to the VPC+2, which is connected to the Route 53 DNS Resolver.
2. The DNS Resolver receives the request and processes it based on the resolver rules.
3. The DNS Resolver has a forwarding rule that will forward internal.tutorialsdojo.com domains to the on-premises data center DNS Server. It sends the request to the Outbound endpoint.
4. The Outbound endpoints use the VPN connection to forward the request to the on-premises DNS resolver.
5. The DNS resolver receives the query and resolves the request. The answer is returned to the EC2 instances using the same path in reverse.

Creating a Route 53 Resolver Endpoints

 You can create an Inbound endpoint by following the steps below using the AWS console:

1. Go to the Route 53 service page > click Resolver > click Inbound endpoints.

2. Click Create inbound endpoint button.

3. Fill in the details for your inbound endpoint, such as the name, VPC, and security group for the endpoint.

4. Under IP Addresses, enter 2 IP addresses from a subnet, preferably from 2 different Availability Zones. This is to improve the availability of the resolver. These will be the IP addresses of your resolver.

5. Click Create Inbound endpoint button.

You can create an Outbound endpoint by following the steps below using the AWS console:

1. Go to the Route 53 service page > click Resolver > click Outbound endpoints.

2. Click Create Outbound endpoint button.

3. Fill in the details for your inbound endpoint, such as the name, VPC, and the security group for the endpoint.

4 Under IP Addresses, enter 2 IP addresses from a subnet, preferably from 2 different Availability Zones. This is to improve the availability of the resolver. These will be the IP addresses of your resolver.

5. Click Create Outbound endpoint button.

To create Resolver Rules, follow the steps below using the AWS Console.

1. Go to the Route 53 service page > click Resolver > click Outbound endpoints.

2. Click Create rule button.

3. Fill in the details for the rule, such as Rule name, Rule type, VPC, and the Outbound endpoint to be used.

4. Under Target IP address, input the IP address of the DNS resolver from your on-premises data center.

5. Click Submit to create this new forwarding rule.

See the below links for more reading.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-overview-DSN-queries-to-vpc.html

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-forwarding-outbound-queries.html

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-forwarding-inbound-queries.html