Task Statement 1.2: Design DNS solutions that meet public, private, and hybrid
requirements.
📘AWS Certified Advanced Networking – Specialty
1. What is Route 53 Resolver?
Route 53 Resolver is AWS’s DNS service for resolving domain names inside your VPC (Virtual Private Cloud) and between AWS and your on-premises network. Think of it as a bridge that handles DNS queries both inside AWS and to/from external networks.
It supports:
- Inbound queries – On-premises systems query DNS in AWS.
- Outbound queries – AWS systems query DNS in your on-premises network or other external DNS servers.
This is especially useful in hybrid architectures, where part of your infrastructure is in AWS and part is on-premises.
2. Types of Route 53 Resolver Endpoints
Resolver endpoints are what allow this communication. There are two types:
A. Inbound Resolver Endpoints
- Allow DNS queries from on-premises networks to AWS.
- Example: Your on-premises server wants to resolve a private AWS domain, like
app.internal.aws.com. - You create an inbound endpoint in a VPC, assign it Elastic IPs, and your on-premises DNS servers point to these IPs.
- Key points for exam:
- Each endpoint requires 1+ IP addresses in your VPC subnets.
- Multiple IPs = high availability (HA).
- Supports hybrid DNS scenarios.
B. Outbound Resolver Endpoints
- Allow DNS queries from AWS to on-premises networks or custom DNS servers.
- Example: An EC2 instance in your VPC wants to resolve
internal.corp.comon your corporate DNS. - You create an outbound endpoint, associate it with your VPC subnets, and configure forwarding rules to your on-prem DNS.
- Key points for exam:
- Endpoints must have IP addresses in private subnets.
- Used with Route 53 Resolver rules (forwarding rules).
3. Resolver Rules
Resolver rules determine how DNS queries are forwarded. There are three main types:
- Forwarding Rule
- Forward queries for a specific domain (e.g.,
corp.internal) to a custom DNS server. - Required for outbound endpoints.
- Forward queries for a specific domain (e.g.,
- System Rule
- Default rules for AWS domains, like
*.aws.com. - These are managed automatically by AWS.
- Default rules for AWS domains, like
- Conditional Forwarding
- Forward queries based on the domain name.
- Example: Send all
internal.corp.comqueries to your on-prem DNS, everything else goes to the default resolver.
Exam Tip: Remember: Rules link endpoints and determine query direction.
4. How it Works in Hybrid Architecture
Here’s a step-by-step flow in a hybrid scenario:
Scenario: On-premises queries AWS VPC private domains
- On-prem DNS sends query to inbound endpoint in AWS.
- Resolver endpoint receives query and resolves it using VPC private hosted zones.
- Response is sent back to the on-prem DNS.
Scenario: AWS queries on-premises private domains
- EC2 instance queries
corp.internal. - AWS outbound resolver endpoint receives the query.
- Forwarding rule sends query to on-prem DNS server.
- On-prem DNS resolves it and sends the response back to AWS.
5. Key Components to Remember for Exam
| Component | Purpose | Exam Tip |
|---|---|---|
| Inbound Resolver Endpoint | Accept DNS queries from on-prem | Used with private hosted zones |
| Outbound Resolver Endpoint | Send DNS queries to on-prem or custom DNS | Requires forwarding rules |
| Resolver Rule | Determines where queries go | Forwarding / system / conditional |
| VPC IPs | IP addresses assigned to endpoints | At least 1 per subnet for HA |
| Private Hosted Zones | Store DNS records for your VPC | Resolver endpoints enable hybrid access |
6. Best Practices
- Use multiple IPs in different AZs for high availability.
- For hybrid DNS, always use inbound endpoints + forwarding rules.
- Keep endpoints in private subnets (no public access).
- Use conditional forwarding rules to avoid unnecessary DNS traffic.
7. Summary for the Exam
- Route 53 Resolver = DNS bridge for hybrid AWS/on-premises setups.
- Inbound endpoints = on-prem → AWS VPC DNS.
- Outbound endpoints = AWS → on-prem or custom DNS.
- Rules = Forwarding logic.
- Private hosted zones store private DNS records in VPC.
- Focus on IP addresses, subnets, and rules configuration for exam questions.
