In this hands-on lab, we will configure Route 53 inbound and outbound endpoints to enable DNS name resolution between two networks.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Log In to the Bastion Hosts and BIND Server
Log In to the On-Premises Bastion Host
Open a terminal window.
Enter:
ssh cloud_user@<ON-PREMISES_BASTION_PUBLIC_IP>
When prompted, enter the password provided for the on-premises bastion on the lab page.
Log In to the VPC Bastion Host
Open a second terminal window.
Enter:
ssh cloud_user@<VPC_BASTION_PUBLIC_IP>
When prompted, enter the password provided for the VPC bastion on the lab page.
Log In to the BIND Server
Open a third terminal window.
Enter:
ssh cloud_user@<BIND_SERVER_PUBLIC_IP>
When prompted, enter the password provided for the BIND server on the lab page.
- Evaluate Hybrid DNS Resolution before Route 53 Resolver Endpoints
Evaluate DNS Resolution from the On-Premises Bastion Host
In the terminal window connected to the on-premises bastion host, run the command:
curl inet.intranet.onprem
You should receive a message stating: This is an On Premises intranet.
Run the following:
curl inet.intranet.vpc
You should receive a message stating: curl: (6) Could not resolve host: inet.intranet.vpc.
Evaluate DNS Resolution from the VPC Bastion Host
In the terminal window connected to the VPC bastion host, run the command:
curl inet.intranet.vpc
You should receive a message stating: This is the VPC intranet.
Run the following command:
curl inet.intranet.onprem
You should receive a message stating: curl: (6) Could not resolve host: inet.intranet.vpc.
- Create Route 53 Resolver Endpoints: Part 1 — Inbound Endpoint
- In the AWS Management Console, navigate to Route 53 Resolver.
- Click Configure Endpoints.
- Leave Inbound and outbound selected and click Next.
Create the Inbound Endpoint
- In Endpoint name, enter "DNSLabInbound".
- Select the VPC ending with
AWSVPC
. - In a new browser tab, navigate to VPC and select Security Groups.
- Locate
EndpointSecurityGroup
and note the last four digits of its group ID. - In the Route 53 Resolver Endpoints browser tab, select the security group ending in the last four digits you just noted.
Configure IP Address 1
- In the VPC dashboard, click Subnets.
- Locate
AWSPubSubnet1
and note its Availability Zone. - In the Route 53 Resolver Endpoints browser tab, select the Availability Zone for
AWSPubSubnet1
. - Select the subnet.
- Ensure Use an IP address that is selected automatically is selected.
Configure IP Address 2
- In the VPC subnets browser tab, locate
AWSPubSubnet2
and note its Availability Zone. - In the Route 53 Resolver Endpoints browser tab, select the Availability Zone for
AWSPubSubnet2
. - In Subnet, select the available subnet.
- Ensure Use an IP address that is selected automatically is selected.
- Click Next.
- Create Route 53 Resolver Endpoints: Part 2 — Outbound Endpoint
Create the Inbound Endpoint
- In Endpoint name, enter "DNSLabOutbound".
- Select the VPC ending with
AWSVPC
. - In another browser tab, navigate to VPC and select Security Groups.
- Select the same security group used for the inbound endpoint.
Configure IP Address 1
- In the VPC browser tab, click Subnets in the left-hand menu.
- Locate
AWSPubSubnet1
and note its Availability Zone. - In the Route 53 Resolver Endpoints browser tab, select the Availability Zone for
AWSPubSubnet1
. - Select the available subnet.
- Ensure Use an IP address that is selected automatically is selected.
Configure IP Address 2
- In the VPC subnets browser tab, locate
AWSPubSubnet2
and note its Availability Zone. - In the Route 53 Resolver Endpoints browser tab, select the Availability Zone for
AWSPubSubnet2
. - Select the available subnet.
- Ensure Use an IP address that is selected automatically is selected.
- Click Next.
Create a Rule for Outbound Traffic
- Enter "onprem" as the name for the rule for outbound traffic.
- Ensure Forward is selected as the rule type.
- Enter
intranet.onprem
as the DNS name. - Select the VPC with the name ending in
AWSVPC
. - Enter the private IP address of the BIND server provided in your lab instructions.
- Click Next and review the settings.
- Click Submit.
- Configure the BIND Server
Navigate to Route 53 and select Inbound Endpoints.
In the ID column, click the hyperlink for the DNSLabINbound endpoint.
Copy the 2 IP addresses for the inbound endpoint for later use.
Open the terminal you used to log in to the BIND server.
Enter the command:
sudo vim /etc/named/named.conf.local
If prompted, enter the password.
At the bottom of the file, enter the following zone directive, replacing
<IP1>
and<IP2>
with the IP addresses previously copied:zone "vpc" { type forward; forward only; forwarders { <IP1>; <IP2>; }; };
Save and exit the file.
Restart the BIND server:
sudo service named restart
If prompted, enter the password provided for the BIND server.
- Evaluate Hybrid DNS Resolution Using Route 53 Resolver Endpoints
- In the Route 53 browser tab, click Inbound Endpoints in the left-hand menu.
- Verify that Status says Operational.
- Click Outbound Endpoints in the left-hand menu.
- Verify that Status says Operational.
- Wait until both endpoints are Operational before continuing the lab.
Evaluate DNS Resolution from the On-Premises Bastion Host
In the terminal window connected to the on-premises bastion host, run the following command:
curl inet.intranet.onprem
You should receive a message stating: This is an On Premises intranet.
Run the following command:
curl inet.intranet.vpc
You should receive a message stating: This is the VPC intranet.
Evaluate DNS Resolution from the VPC Bastion Host
In the terminal window connected to the VPC bastion host, run the following command:
curl inet.intranet.vpc
You should receive a message stating: This is the VPC intranet.
Run the following command:
curl inet.intranet.onprem
You should receive a message stating: This is the On Premises intranet.