Configuring Hybrid DNS with AWS

30 minutes
  • 6 Learning Objectives

About this Hands-on Lab

In this hands-on lab, we will configure Route 53 inbound and outbound endpoints to enable DNS name resolution between two networks.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Log In to the Bastion Hosts and BIND Server

Log In to the On-Premises Bastion Host

  1. Open a terminal window.

  2. Enter:

    ssh cloud_user@<ON-PREMISES_BASTION_PUBLIC_IP>
  3. When prompted, enter the password provided for the on-premises bastion on the lab page.

Log In to the VPC Bastion Host

  1. Open a second terminal window.

  2. Enter:

    ssh cloud_user@<VPC_BASTION_PUBLIC_IP>
  3. When prompted, enter the password provided for the VPC bastion on the lab page.

Log In to the BIND Server

  1. Open a third terminal window.

  2. Enter:

    ssh cloud_user@<BIND_SERVER_PUBLIC_IP>
  3. When prompted, enter the password provided for the BIND server on the lab page.

Evaluate Hybrid DNS Resolution before Route 53 Resolver Endpoints

Evaluate DNS Resolution from the On-Premises Bastion Host

  1. In the terminal window connected to the on-premises bastion host, run the command:

    curl inet.intranet.onprem

    You should receive a message stating: This is an On Premises intranet.

  2. Run the following:

    curl inet.intranet.vpc

    You should receive a message stating: curl: (6) Could not resolve host: inet.intranet.vpc.

Evaluate DNS Resolution from the VPC Bastion Host

  1. In the terminal window connected to the VPC bastion host, run the command:

    curl inet.intranet.vpc

    You should receive a message stating: This is the VPC intranet.

  2. Run the following command:

    curl inet.intranet.onprem

    You should receive a message stating: curl: (6) Could not resolve host: inet.intranet.vpc.

Create Route 53 Resolver Endpoints: Part 1 — Inbound Endpoint
  1. In the AWS Management Console, navigate to Route 53 Resolver.
  2. Click Configure Endpoints.
  3. Leave Inbound and outbound selected and click Next.

Create the Inbound Endpoint

  1. In Endpoint name, enter "DNSLabInbound".
  2. Select the VPC ending with AWSVPC.
  3. In a new browser tab, navigate to VPC and select Security Groups.
  4. Locate EndpointSecurityGroup and note the last four digits of its group ID.
  5. In the Route 53 Resolver Endpoints browser tab, select the security group ending in the last four digits you just noted.

Configure IP Address 1

  1. In the VPC dashboard, click Subnets.
  2. Locate AWSPubSubnet1 and note its Availability Zone.
  3. In the Route 53 Resolver Endpoints browser tab, select the Availability Zone for AWSPubSubnet1.
  4. Select the subnet.
  5. Ensure Use an IP address that is selected automatically is selected.

Configure IP Address 2

  1. In the VPC subnets browser tab, locate AWSPubSubnet2 and note its Availability Zone.
  2. In the Route 53 Resolver Endpoints browser tab, select the Availability Zone for AWSPubSubnet2.
  3. In Subnet, select the available subnet.
  4. Ensure Use an IP address that is selected automatically is selected.
  5. Click Next.
Create Route 53 Resolver Endpoints: Part 2 — Outbound Endpoint

Create the Inbound Endpoint

  1. In Endpoint name, enter "DNSLabOutbound".
  2. Select the VPC ending with AWSVPC.
  3. In another browser tab, navigate to VPC and select Security Groups.
  4. Select the same security group used for the inbound endpoint.

Configure IP Address 1

  1. In the VPC browser tab, click Subnets in the left-hand menu.
  2. Locate AWSPubSubnet1 and note its Availability Zone.
  3. In the Route 53 Resolver Endpoints browser tab, select the Availability Zone for AWSPubSubnet1.
  4. Select the available subnet.
  5. Ensure Use an IP address that is selected automatically is selected.

Configure IP Address 2

  1. In the VPC subnets browser tab, locate AWSPubSubnet2 and note its Availability Zone.
  2. In the Route 53 Resolver Endpoints browser tab, select the Availability Zone for AWSPubSubnet2.
  3. Select the available subnet.
  4. Ensure Use an IP address that is selected automatically is selected.
  5. Click Next.

Create a Rule for Outbound Traffic

  1. Enter "onprem" as the name for the rule for outbound traffic.
  2. Ensure Forward is selected as the rule type.
  3. Enter intranet.onprem as the DNS name.
  4. Select the VPC with the name ending in AWSVPC.
  5. Enter the private IP address of the BIND server provided in your lab instructions.
  6. Click Next and review the settings.
  7. Click Submit.
Configure the BIND Server
  1. Navigate to Route 53 and select Inbound Endpoints.

  2. In the ID column, click the hyperlink for the DNSLabINbound endpoint.

  3. Copy the 2 IP addresses for the inbound endpoint for later use.

  4. Open the terminal you used to log in to the BIND server.

  5. Enter the command:

    sudo vim /etc/named/named.conf.local

    If prompted, enter the password.

  6. At the bottom of the file, enter the following zone directive, replacing <IP1> and <IP2> with the IP addresses previously copied:

    zone "vpc" {
        type forward;
        forward only;
        forwarders  { <IP1>; <IP2>; };
    };
  7. Save and exit the file.

  8. Restart the BIND server:

    sudo service named restart

    If prompted, enter the password provided for the BIND server.

Evaluate Hybrid DNS Resolution Using Route 53 Resolver Endpoints
  1. In the Route 53 browser tab, click Inbound Endpoints in the left-hand menu.
  2. Verify that Status says Operational.
  3. Click Outbound Endpoints in the left-hand menu.
  4. Verify that Status says Operational.
  5. Wait until both endpoints are Operational before continuing the lab.

Evaluate DNS Resolution from the On-Premises Bastion Host

  1. In the terminal window connected to the on-premises bastion host, run the following command:

    curl inet.intranet.onprem

    You should receive a message stating: This is an On Premises intranet.

  2. Run the following command:

    curl inet.intranet.vpc

    You should receive a message stating: This is the VPC intranet.

Evaluate DNS Resolution from the VPC Bastion Host

  1. In the terminal window connected to the VPC bastion host, run the following command:

    curl inet.intranet.vpc

    You should receive a message stating: This is the VPC intranet.

  2. Run the following command:

    curl inet.intranet.onprem

    You should receive a message stating: This is the On Premises intranet.

Additional Resources

You are a network engineer who has been tasked with configuring DNS resolution between an on-premises network and an AWS VPC. The best practice method for achieving this is with Route 53 Resolver inbound and outbound endpoints, which provide a highly available, fault-tolerant DNS name resolution between VPCs and external networks.

We will need to create and configure the Resolver endpoints in the AWS Management Console, as well as a rule to indicate where outbound DNS queries should be forwarded. We will also need to add a forwarder zone for our VPC network in the provided BIND DNS server.

There are two intranet endpoints, one for each endpoint:

  • inet.intranet.onprem
  • inet.intranet.vpc

When the lab is launched, it should be possible to curl each endpoint from the bastion in the respective networks, while cross-network name resolution will fail.

Log in to the live AWS environment using the credentials provided. Make sure you're in the N. Virginia (us-east-1) region throughout the lab.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?