DEV Community

Wakeup Flower
Wakeup Flower

Posted on

Amazon Route 53 private hosted zones work with VPC DNS settings

#aws

🔒 Route 53 Private Hosted Zones (PHZ)

A private hosted zone is DNS that only works inside your VPC(s), not on the public internet.

Think of it as an internal DNS directory for resources in your AWS environment.

  • Records in a PHZ can only be resolved from within the associated VPCs.
  • Queries from the internet won’t see or resolve them.
  • Typically used for internal applications, microservices, or hybrid setups (on-prem + AWS).

Example

Let’s say you have a private database in your VPC with IP 10.0.1.15.

You create a private hosted zone:

  • Zone name: internal.mycompany.com

  • Record: db.internal.mycompany.com → 10.0.1.15

  • Private hosted zone: For internal-only services (databases, microservices, intranet apps, VPC-to-VPC communication).

  • Route 53 (default) = global public DNS.
  • Route 53 Private Hosted Zones = private DNS inside your VPCs, isolated from the internet.

🌐 Private hosted zones in Route 53

A private hosted zone is a DNS zone inside Route 53 that is only accessible from within one or more VPCs.
Example: you create a private zone corp.internal → only your VPC resources can resolve app.corp.internal.

For this to work, the VPC’s built-in DNS resolver must be active. That’s where these two settings come in.

⚙️ The two key VPC DNS options

  1. DNS hostnames
  • Controls whether EC2 instances in the VPC get public DNS hostnames (like ip-10-0-0-12.ec2.internal).

  • By default:

    • Default VPCs → enabled
    • Custom VPCs → disabled

  • Why it matters:

    If DNS hostnames aren’t enabled, private hosted zones won’t resolve properly because the VPC doesn’t assign or recognize DNS hostnames for resources.

  1. DNS resolution
  • Controls whether the VPC can use the Amazon-provided DNS resolver.
  • This resolver runs at a special IP: VPC CIDR base + 2 (e.g., if your VPC is 10.0.0.0/16, the resolver is 10.0.0.2).
  • Why it matters: Private hosted zones only answer queries sent to this Amazon-provided resolver. If DNS resolution is disabled, the VPC won’t use that resolver, so queries to your private hosted zone will fail.

🔎 Important caveat

  • If you’re using a custom DNS server (e.g., running BIND or Active Directory DNS) via DHCP options, you may disable DNS resolution (so queries go to your custom server).
  • But if you want to use Route 53 private hosted zones, you must enable both DNS hostnames and DNS resolution.

In short:

  • DNS hostnames = give VPC instances proper DNS names so they can participate in private hosted zones.
  • DNS resolution = allow VPC to use the Amazon VPC DNS server (x.x.x.2), which is the only resolver that knows about private hosted zones.

Top comments (0)