This post covers some core concepts of Route 53 Resolvers and how they can help establish inbound and outbound name resoltion with your on-premise and AWS resources.
Introduction
Route 53 resolvers are a feature of Route 53 that allows you to route DNS queries between your VPC and your on-premises network.
This feature lets you resolve domain names hosted within your VPCs and across your hybrid cloud environment.
NOTE: Route 53 Resolvers are associated with a region as they are hosted in a VPC, unlike most of the Route 53 service, which is global.
Resolver Types
There are two main types of Route 53 resolvers: inbound and outbound. Both work by forwarding DNS queries to the appropriate DNS servers.
When your device sends a DNS query for a domain name, the resolver will check its cache to see if it already has the IP address for that domain name. If it doesn't, the resolver will forward the query to the appropriate DNS servers to get the IP address.
Once the resolver has the IP address, it will return it to your device, which can then use it to connect to the resource associated with that domain name.
Inbound
Inbound resolvers enable the resolution of private hosted zones associated with a VPC.
When you create a VPC, you can configure it to use a private hosted zone in Route 53, enabling the resolution of names to IP addresses specific to your VPC.
You can then set up inbound resolvers within your VPC to help your resources find other resources by resolving their domain names to IP addresses.
Inbound resolvers are also helpful for resolving domain names to IP addresses for resources outside your VPC, such as on-premise.
Outbound
Outbound resolvers enable the resolution of domain names outside of your VPC.
When you set up an outbound resolver, you can specify the IP addresses of the DNS servers you want to use for resolution. This can be useful if you want to use a specific DNS service for resolving domain names, such as a third-party or internal DNS provider.
They can help you connect to resources on the internet, such as public domain names and other AWS services that are outside of your VPC.
NOTE: The above shows an on-premise DNS server; however, this could be an external DNS server on the public internet.
Rules
A resolver rule is a set of criteria the Route 53 resolver uses to determine how to route DNS queries, and they are only applicable to the outbound resolver.
Expanding on the example above to resolve onpremise.net for instances inside the VPC, we would configure a forwarding rule for onpremise.net and point it to the internal DNS server.
Resource Access Manager (RAM)
RAM allows you to share your resolver rules and endpoints with other accounts in your organization. This method will enable you to define your rules once but use them across many VPCs.
This can be particularly useful when you have a central team responsible for managing DNS and want to ensure consistent DNS resolution across your organization.
NOTE: The traffic between the resolvers in each VPC and the outbound resolver goes over the AWS Global Network. There is no requirement for the VPC CIDR ranges to be able to route to the outbound resolver endpoints.
Best Practices
Here are a few things to consider for your architecture.
Use Resolver Rules Wisely
Create forwarding rules to route DNS queries for specific domains or subdomains to specific DNS resolvers. This allows you to control traffic flow and improve the efficiency of DNS resolution. Be sure to prioritize the most critical domains and establish a hierarchy of rules to minimize latency.
Endpoint Placement
Place Resolver Endpoints Strategically to manage DNS query traffic between your VPCs and on-premises networks. Place these endpoints in subnets with low latency and high network throughput to ensure fast and reliable query resolution. As shown above RAM can also assist with sharing those endpoints.
Restrict if required
Resolvers need protection just like any other endpoint in your network. Configure the necessary Security Groups and Network Access Control Lists (ACLs) to protect your resolver endpoints. Limit access to only necessary IP ranges and ports, ensuring that only authorized users and applications can interact with your DNS infrastructure.
Logging
Enable DNS Query Logging Enable logging of DNS queries to track and analyze traffic patterns, identify potential security threats, and debug any issues related to DNS resolution. Route 53 Resolver can send query logs to Amazon CloudWatch Logs, enabling you to create custom metrics and alarms for monitoring.
Monitoring
Monitor key performance metrics, such as query latency, query volume, and resolver endpoint health, to identify potential bottlenecks and capacity constraints. As your application and infrastructure grow, scale your Route 53 Resolver setup by adding additional resolver endpoints, rules, and VPC peering connections as needed.
Summary
Every hybrid network AWS setup is going to need some sort of name resolution and I hope you now have a good understanding of the capabilities of Route 53 Resolver.
Hope this helps someone else.
Cheers
Top comments (1)
Very helpful post