Configuring Hybrid DNS with AWS

30 minutes
  • 6 Learning Objectives

About this Hands-on Lab

In this hands-on lab, we will configure Route 53 inbound and outbound endpoints to enable DNS name resolution between two networks.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Log in to the Bastion Hosts and BIND Server

Log in to the On-Premises Bastion Host

  1. Open a terminal window.

  2. Enter:

    ssh cloud_user@<ON-PREMISES_BASTION_PUBLIC_IP>
  3. When prompted, enter the password provided for the On-Premises Bastion on the lab page.

Log in to the VPC Bastion Host

  1. Open a second terminal window.

  2. Enter:

    ssh cloud_user@<VPC_BASTION_PUBLIC_IP>
  3. When prompted, enter the password provided for the VPC Bastion on the lab page.

Log in to the BIND Server

  1. Open a third terminal window.

  2. Enter:

    ssh cloud_user@<BIND_SERVER_PUBLIC_IP>
  3. When prompted, enter the password provided for the BIND server on the lab page.

Evaluate Hybrid DNS Resolution Before Route 53 Resolver Endpoints

Evaluate DNS Resolution from the On-Premises Bastion Host

  1. In the terminal window connected to the on-premises bastion host, run the command:

    curl inet.intranet.onprem

    You should receive a message stating: This is an On Premises intranet.

  2. Run the following:

    curl inet.intranet.vpc

    You should receive a message stating: curl: (6) Could not resolve host: inet.intranet.vpc.

Evaluate DNS Resolution from the VPC Bastion Host

  1. In the terminal window connected to the VPC bastion host, run the command:

    curl inet.intranet.vpc

    You should receive a message stating This is the VPC intranet.

  2. Run the following command:

    curl inet.intranet.onprem

    You should receive a message stating: curl: (6) Could not resolve host: inet.intranet.vpc.

Create Route 53 Resolver Endpoints: Part 1 — Inbound Endpoint
  1. In the AWS Management Console, navigate to Route 53 Resolver.
  2. Click Configure Endpoints.
  3. Make sure you are in the N. Virginia (us-east-1) region.
  4. Leave Inbound and outbound selected.
  5. Click Next.

Create the Inbound Endpoint

  1. Enter "DNSLabInbound" as the endpoint name.
  2. Select the VPC ending with AWSVPC.
  3. In a new browser tab, navigate to VPC > Security Groups.
  4. Look for a security group named EndpointSecurityGroup, and note the last four digits of its group ID.
  5. In the Route 53 Resolver Endpoints browser tab, select the security group ending in the last four digits you just noted.

Configure IP Address 1

  1. In the VPC browser tab, click Subnets in the left-hand menu.
  2. Look for the subnet named AWSPubSubnet1, and note its Availability Zone.
  3. In the Route 53 Resolver Endpoints browser tab, select the Availability Zone for the subnet we just identified.
  4. Select the only available subnet for that Availability Zone.
  5. Ensure Use an IP address that is selected automatically is selected.

Configure IP Address 2

  1. In the VPC subnets browser tab, look for the subnet named AWSPubSubnet2, and note its Availability Zone.
  2. In the Route 53 Resolver Endpoints browser tab, select the Availability Zone for the subnet we just identified.
  3. Select the only available subnet for that Availability Zone.
  4. Ensure Use an IP address that is selected automatically is selected.
  5. Click Next.
Create Route 53 Resolver Endpoints: Part 2 — Outbound Endpoint

Create the Inbound Endpoint

  1. Enter "DNSLabOutbound" as the endpoint name.
  2. Select the VPC ending with AWSVPC.
  3. In another browser tab, navigate to VPC > Security Groups.
  4. Look for a security group with Use me for endpoints in the description, and note the last four digits of its group ID.
  5. In the Route 53 Resolver Endpoints browser tab, select the security group ending in the last four digits you just noted.

Configure IP Address 1

  1. In the VPC browser tab, click Subnets in the left-hand menu.
  2. Look for the subnet named AWSPubSubnet1, and note its Availability Zone.
  3. In the Route 53 Resolver Endpoints browser tab, select the Availability Zone for the subnet we just identified.
  4. Select the only available subnet for that Availability Zone.
  5. Ensure Use an IP address that is selected automatically is selected.

Configure IP Address 2

  1. In the VPC subnets browser tab, look for the subnet named AWSPubSubnet2, and note its Availability Zone.
  2. In the Route 53 Resolver Endpoints browser tab, select the Availability Zone for the subnet we just identified.
  3. Select the only available subnet for that Availability Zone.
  4. Ensure Use an IP address that is selected automatically is selected.
  5. Click Next.

Create Rule for Outbound Traffic

  1. Enter "ToBind" as the name for the rule for outbound traffic.
  2. Ensure Forward is selected as the rule type.
  3. Enter intranet.onprem as the DNS name.
  4. Select the VPC ending with AWSVPC as the name.
  5. Enter the Private IP address of BIND server provided in your lab instructions.
  6. Click Next and review the settings.
  7. Click Submit.
Configure the BIND Server
  1. Navigate to Route 53 > Inbound Endpoints.

  2. Click the hyperlink in the ID column for the DNSLabINbound endpoint.

  3. Copy the two IP addresses for the inbound endpoint, as we will use this later in the lab.

  4. Open the terminal you used to log in to the BIND server.

  5. Enter the command:

    sudo vim /etc/named/named.conf.local

    If prompted, enter the password.

  6. At the bottom of the file, enter the following zone directive. Be sure to replace <IP1> and <IP2> with the IP addresses for the inbound endpoint we noted above. Also be sure that each IP address has a semicolon (;) after it:

    zone "vpc" {
        type forward;
        forward only;
        forwarders  { <IP1>; <IP2>; };
    };
  7. Save and exit the file.

  8. Run the following command to restart the BIND server:

    sudo service named restart

    If prompted, enter the password provided for the BIND server.

Evaluate Hybrid DNS Resolution Using Route 53 Resolver Endpoints
  1. In the Route 53 browser tab, click Inbound Endpoints in the left-hand menu.
  2. Verify the status says Operational.
  3. Click Outbound Endpoints in the left-hand menu.
  4. Verify the status says Operational.
  5. Wait until both endpoints are Operational before continuing the lab.

Evaluate DNS Resolution from the On-Premises Bastion Host

  1. In the terminal window connected to the on-premises bastion host, run the following command:

    curl inet.intranet.onprem

    You should receive a message stating: This is an On Premises intranet.

  2. Run the following command:

    curl inet.intranet.vpc

    You should receive a message stating: This is the VPC intranet.

Evaluate DNS Resolution from the VPC Bastion Host

  1. In the terminal window connected to the VPC bastion host, run the following command:

    curl inet.intranet.vpc

    You should receive a message stating: This is the VPC intranet.

  2. Run the following command:

    curl inet.intranet.onprem

    You should receive a message stating: This is the On Premises intranet.

Additional Resources

You are a network engineer who has been tasked with configuring DNS resolution between an on-premises network and an AWS VPC. The best practice method for achieving this is with Route 53 Resolver inbound and outbound endpoints, which provide a highly available, fault-tolerant DNS name resolution between VPCs and external networks.

We will need to create and configure the Resolver endpoints in the AWS Management Console, as well as a rule to indicate where outbound DNS queries should be forwarded. We will also need to add a forwarder zone for our VPC network in the provided BIND DNS server.

There are two intranet endpoints, one for each endpoint:

  • inet.intranet.onprem
  • inet.intranet.vpc

When the lab is launched, it should be possible to curl each endpoint from the bastion in the respective networks, while cross-network name resolution will fail.

Log in to the live AWS environment using the credentials provided. Make sure you're in the N. Virginia (us-east-1) region throughout the lab.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


$2,495.00

Checkout
Sign In
Welcome Back!
Thanks for reaching out!

You’ll hear from us shortly. In the meantime, why not check out what our customers have to say about ACG?