DEV Community

Arseny Zinchenko
Arseny Zinchenko

Posted on • Originally published at on

AWS: VPC peering DNS resolution and DNS settings for OpenVPN Access Server

We have a VPC with OpenVPN Access Server running. This VPC is connected with other VPCs in our AWS account.

The issue is that currently when a user is connected to VPN for the DNS resolution into EC2 instances private IPs we are using dnsmasq service on the VPN-host which has a /etc/dnsmasq.hosts file where are manually added private IPs for necessary domains.

You can read more about the current setup in the OpenVPN: настройки DNS и dnsmasq post (Rus).

More correct way is to use AWS VPC’s DNS Resolve option. You can read more about DNS in AWS VPC in the DNS: установка BIND, DNS Load Balancing и network-based routing через view post (Rus).

VPC DNS Resolution documentation – Enabling DNS Resolution Support for a VPC Peering Connection.

The post below describes configuring DNS resolution between VPC with OpenVPN and VPC with ЕС2 where we have our Bitwarden passwords manager running (see Bitwarden: an organization’s password manager self-hosted version installation on an AWS EC2). This ЕС2 has Elastic IP attached, and there is domain name which is pointed to this EIP via AN A record.

DNS Hostnames

Docs – DNS Support in Your VPC.

If a VPC has no DNS Hostnames enabled – first need to turn it on.

Then VPC will assign public domain names to public IPs for instances in this VPC which can be used then to resolve them to private IPs.

I.e. when resolving a domain from the world – it will be resolved to its public IP but if call it from a VPC – it will be resolved to a private IP of an instance in this VPC.

Go to the VPC, find your VPC, select Edit DNS Hostnames:

Enable the DNS Hostnames:

DNS Resolution via VPC Peering

Next – turn on DNS resolution via between VPCs via their peering.

Go to the VPC > Peering Connections, chose your peering, select Edit DNS Settings:

Enable both options here:

Now let’s check.

First from the office, to check DNS resolution from the world:

[setevoy@setevoy-arch-work ~] $ dig ec2-63-***-*** +short

And now – from the host where is OpenVPN is running, to check how the resolution will work from via VPC peering:

openvpnas@openvpnas2:~$ dig ec2-63-***-*** +short – is the private IP of the Bitwarden instance, all good.


Next, need to update Route53 record for the domain, as it has IN A with Public IP of the Bitwarden’s EC2. Change it to CNAME and set the Public DNS name of this instance:

Wait a couple of minutes to propagate DNS, and check from the office again:

[setevoy@setevoy-arch-work ~] $ dig +short

And from the OpenVPN instance:

openvpnas@openvpnas2:~$ dig +short

Again got – all works.

DNS in the OpenVPN

Go to the VPN Settings and set a private IP of a DNS in this VPC.

DNS in a VPC always as address like .2.

In this current case, we have VPC for OpenVPN with the CIDR, therefore DNS will be on the

You can check if DNS is available from any host in this VPC:

openvpnas@openvpnas2:~$ dig @ +short

Now go to the OpenVPN admin page and set DNS:

Connect to the VPN from the office:

[setevoy@setevoy-arch-work ~] $ sudo openvpn --config vpnroot-client.ovpn
Thu May 16 12:05:31 2019 /etc/openvpn/update-resolv-conf tun0 1500 1553 init
dhcp-option DNS

And check the domain:

[setevoy@setevoy-arch-work ~] $ dig +short
ec2-63-***-*** again – all works.


Similar posts

Top comments (0)