Task Statement 2.3: Implement complex hybrid and multi-account DNS architectures.

📘AWS Certified Advanced Networking – Specialty

---

1. What is DNS Delegation?

✅ Definition

DNS delegation means:

Giving responsibility of a subdomain to another DNS server or hosted zone.

Instead of one DNS server managing everything, you split control.

---

✅ How Delegation Works

• A parent domain (example.com) contains a subdomain (app.example.com)
• The parent DNS does NOT answer for the subdomain
• Instead, it says: “Ask another DNS server for this subdomain”

This is done using:

• NS (Name Server) records

---

✅ Example (IT Environment)

• Main domain hosted in one AWS account:
  • example.com → Hosted Zone A
• Subdomain hosted in another AWS account:
  • dev.example.com → Hosted Zone B

Flow:

1. User queries: api.dev.example.com
2. DNS checks example.com
3. Finds NS record for dev.example.com
4. Redirects query to Hosted Zone B
5. Hosted Zone B gives final answer

---

✅ AWS Implementation (Route 53)

To configure delegation:

Step 1: Create a Hosted Zone for Subdomain

• Example: dev.example.com

Step 2: Get NS Records

• Route 53 provides 4 name servers

Step 3: Add NS Records in Parent Hosted Zone

• Add NS record for dev.example.com
• Point it to subdomain’s name servers

---

✅ Why Delegation is Important

• Separate environments (dev, prod)
• Multi-account architectures
• Team-based ownership
• Security isolation

---

✅ Exam Tips (Delegation)

• Uses NS records
• Common in:
  • Multi-account AWS setups
  • Large organizations
• Enables:
  • Distributed DNS management
• Works across:
  • AWS accounts
  • On-premises DNS

---

2. What is DNS Forwarding?

✅ Definition

DNS forwarding means:

Sending DNS queries to another DNS server instead of resolving them locally.

---

✅ Types of Forwarding

1. Standard Forwarding

• All queries go to another DNS server

2. Conditional Forwarding (IMPORTANT for exam)

• Only specific domain queries are forwarded

---

3. Conditional Forwarding (Most Important)

✅ Definition

Conditional forwarding means:

Forward DNS queries for a specific domain to a specific DNS server.

---

✅ Example (IT Environment)

• AWS VPC needs to resolve:
  • internal.corp.local (on-premises domain)

Flow:

1. EC2 queries: db.internal.corp.local
2. Route 53 Resolver sees rule:
   • “Forward corp.local queries to on-prem DNS”
3. Query is sent to on-prem DNS server
4. On-prem DNS responds

---

✅ AWS Implementation (Route 53 Resolver)

Components:

1. Resolver Endpoints

• Inbound Endpoint
  • Allows external DNS to query AWS
• Outbound Endpoint
  • Allows AWS to query external DNS

---

2. Resolver Rules

• Define forwarding behavior

Types:

• Forward Rule
  • For conditional forwarding
• System Rule
  • Default AWS DNS behavior

---

✅ Steps to Configure Conditional Forwarding

Step 1: Create Outbound Endpoint

• In a VPC
• Attach security group

Step 2: Create Resolver Rule

• Domain: corp.local
• Target IP: On-prem DNS server IP

Step 3: Associate Rule with VPC

---

✅ Why Conditional Forwarding is Important

• Hybrid DNS (AWS + On-premises)
• Private domain resolution
• Centralized DNS control
• Avoids public DNS exposure

---

4. Delegation vs Forwarding (IMPORTANT)

Feature	Delegation	Forwarding
Purpose	Transfer authority	Send query elsewhere
Uses	NS records	Resolver rules
Control	Subdomain managed elsewhere	Resolution handled elsewhere
Response Source	Delegated DNS server	Forwarded DNS server
AWS Use Case	Multi-account subdomains	Hybrid DNS

---

5. When to Use Delegation vs Forwarding

✅ Use Delegation When:

• You want:
  • Another team/account to manage subdomain
• Example:
  • dev.example.com in another AWS account

---

✅ Use Conditional Forwarding When:

• You need:
  • Resolve external/private domains
• Example:
  • AWS resolving on-prem DNS

---

6. Hybrid DNS Architecture (Very Important)

Most exam questions combine both concepts.

---

✅ Common Architecture

AWS ↔ On-Premises DNS Integration

• Use:
  • Conditional forwarding → AWS → On-prem
  • Inbound endpoint → On-prem → AWS

---

Flow:

AWS to On-Prem:

1. Query for corp.local
2. Forward via outbound endpoint
3. On-prem DNS resolves

On-Prem to AWS:

1. Query for aws.internal
2. Forward to inbound endpoint
3. Route 53 resolves

---

7. Multi-Account DNS Architecture

✅ Delegation Across Accounts

• Root domain in shared services account
• Subdomains in different accounts

Example:

• example.com → Shared account
• app.example.com → App account
• dev.example.com → Dev account

---

8. Common Exam Scenarios

Scenario 1:

Multiple AWS accounts need separate DNS control

✔ Use:

• Delegation

---

Scenario 2:

AWS needs to resolve on-prem domain

✔ Use:

• Conditional forwarding + outbound endpoint

---

Scenario 3:

On-prem needs to resolve AWS private hosted zone

✔ Use:

• Inbound endpoint

---

Scenario 4:

Central DNS account managing all domains

✔ Use:

• Delegation + shared services model

---

9. Key AWS Services to Remember

• Amazon Route 53
  • Hosted Zones
  • NS records
• Route 53 Resolver
  • Inbound endpoints
  • Outbound endpoints
  • Resolver rules

---

10. Common Mistakes (Exam Traps)

❌ Confusing delegation with forwarding
❌ Forgetting NS records for delegation
❌ Missing outbound endpoint for forwarding
❌ Not associating resolver rules with VPC
❌ Security groups blocking DNS traffic

---

11. Quick Summary (Exam Revision)

• Delegation
  • Uses NS records
  • Transfers authority of subdomain
  • Used in multi-account setups
• Conditional Forwarding
  • Uses resolver rules
  • Sends queries to specific DNS servers
  • Used in hybrid environments
• Route 53 Resolver
  • Enables forwarding
  • Uses inbound/outbound endpoints