AdvLab1: Setting up hybrid DNS

Author: Dean Suzuki, Vladimir Provorov (Last Updated: 4/1/20)

Abstract

Most customers have an on-premises DNS infrastructure. When you create resources in AWS, AWS provides DNS services provided by Amazon Route 53. In this lab, you will get hands-on experience with creating a hybrid DNS infrastructure which allows you to integrate your on-premises DNS infrastructure with Amazon Route 53 DNS.

Route 53 provides a number of DNS capabilities such as: public DNS domain registration, ability to create private DNS zones, hybrid DNS tools, and DNS name resolution. With DNS name resolution, Route 53 Resolver can perform recursive lookups against public name servers.

Within Route 53, the Route 53 Resolver service provides three tools to enable hybrid DNS architecture between your on-premises DNS infrastructure and AWS. These three tools are:

  • Outbound Endpoints: DNS queries from Route 53 Resolver for your on-premises DNS infrastructure will originate from outbound endpoints.

  • Route 53 Resolver Rules: With Route 53 Resolver Rules, you can configure Route 53 to forward DNS queries for your specific DNS domains to on-premises DNS servers.

  • Inbound Endpoints: Inbound endpoints serve as targets for DNS queries from your on-premises DNS infrastructure for DNS domains hosted in AWS.

Presentation

Here is a presentation that I deliver that discusses the different options of architecting DNS on AWS (here)

Step 1: Configuring Route 53 Outbound Endpoint

The first step is to create Route 53 Outbound Endpoints which enable Route 53 Resolver to forward DNS queries to DNS domains hosted outside of Route 53. When you create Route 53 Outbound Endpoints, AWS will create an elastic network interface (ENI) in the Availability Zones (AZ) that you specify (see below).

The above diagrams were taken from a great RE:Invent 2019 presentation (see here) on Hybrid DNS and Route 53 resolver. The presentation goes into extensive details on inbound endpoints, outbound endpoints, and resolver rules.

In this lab, you will get hands-on experience with these three Route 53 resolver tools. AWS Managed Microsoft Active Directory will be used to simulate your on-premises DNS infrastructure.

  1. Login to the AWS Console and navigate to the Directory Service console. In the find a service search field, type Directory Services.
  2. Make sure you are in the “N. Virginia” region by checking on the top right corner in the AWS Console.
  3. Click on Directory ID for the directory that you deployed in the previous lab.
  4. Note the DNS addresses for your directory. When you created Managed Active Directory, it comes with DNS service on each domain controller. You need to enable forwarding DNS queries to your Active Directory domain to the right DNS servers.
  5. Open Route 53 console. In the find a service search field, type Route 53.
  6. Note that you may encounter an error (see below). In the lab environment, we have disabled your ability to register public DNS domains. You can ignore this error for the purposes of the lab.
  7. In the Resolver section, click Outbound endpoints and Create outbound endpoint.
  8. Enter the following information: a. Endpoint name: R53-OutboundEndpoint

    b. VPC in the Region: us-east-1 (N. Virginia): WinVPC-VPCStack-*

    c. For the security group for this endpoint, select the security group that was created for the Managed AD setup earlier: “d-###..##_controllers …”. Note, your id for the Managed AD will be different from the one in my lab shown below.

  9. IP address #1:

    a. Availability Zone: us-east-1a

    b. Subnet: Private Subnet 1A

    c. Use an IP address that is selected automatically

  10. IP address #2:

    a. Availability Zone: us-east-1b

    b. Subnet: Private Subnet 2A

    c. Use an IP address that is selected automatically

  11. Submit. After 5 minutes, the Outbound endpoint will be configured in your VPC.

Step 2: Configuring Route 53 Resolver Rules

The next step is to create Route 53 Resolver Rules. Route 53 Resolver rules allow two actions: Forward or System. With the Forward action, you can configure Route 53 resolver to forward DNS queries for specific DNS domain(s) to external DNS resolvers (e.g. your on-premises DNS servers). With System, Route 53 will query its hierarchy for name resolution (Private DNS zones, VPC DNS, and Public DNS).

  1. In the Resolver section, click Rules and Create a new rule.
  2. Enter the following information:

    a. Name: ManagedAdDnsForwarder

    b. Rule type: Forward

    c. Domain name: corp.example.com

    e. VPC that use this rule: Win-VPC-VPCStack

    e. Outbound endpoint: R53-OutboundEndpoint f. For the Target IP addresses, specify the two IP addresses of your Managed AD domain controllers, that you noted at the Step 4. Note, you will have to press Add target to add the second IP address. g. Press Submit.

In the previous steps, you configured Route 53 Resolver to forward queries for corp.example.com to another DNS resolver (e.g. AWS Managed Microsoft AD). The domain, corp.example.com, simulates a DNS domain hosted by your on-premises DNS infrastructure.

Step 3: Configuring Route 53 Inbound Endpoints

To enable your on-premises DNS infrastructure to query Route 53 Resolver for any DNS zones (e.g. Private Zones) hosted on Route 53, you need to create Route 53 Inbound endpoints. Inbound endpoints allows other services to query Route 53 for DNS resolution. When you create an Inbound Endpoint, AWS creates an elastic network interface (ENI) in each availability zone (AZ) that you specify that will receive the inbound DNS queries.

In this lab, you will create the inbound endpoints.

  1. From the Route 53 console, select Inbound endpoints under Resolver.

  2. Select Create inbound endpoint.

    a. For Endpoint name: R53-InboundEndpoint

    b. For VPC in the Region: WinVPC-VPCStack

    c. For security group, choose the security group that we created to secure Managed AD (e.g. d-###….#_controllers). Note the ids for your environment will be different than mine.

  3. For IP address #1,

    a. For Availability Zone, select us-east-1a

    b. For subnet, select Private subnet 1A

    c. For IP address, Select Use an IP address that is selected automatically

  4. For IP address #2,

    a. For Availability Zone, select us-east-1b

    b. For subnet, select Private subnet 2A

    c. For IP address, Select Use an IP address that is selected automatically

  5. Press Submit.

Once the Inbound endpoints are created, click on the inbound endpoint hyperlink for details on the endpoint. You should see the IP addresses that were assigned for the inbound points. AWS put an elastic network interface (ENI) into your subnet and assigned this IP address to the ENI.

Testing Outbound Endpoint and Resolver Rule

  1. Connect to your RD Gateway Server (or use an open session from Step 1).

    a. Log in to the AWS Console and go to Elastic Compute Cloud (EC2) console.

    b. On the left hand menu, select Instances.

    c. Select the checkbox near to the RDGW server.

    d. Click the Connect button. Click the “Download Remote Desktop File” to download the RDP file.

    e. Click the Get Password button.

    f. Click the Choose File button and browse to the location of the key pair file that you downloaded earlier.

    g. Click Decrypt Password

    h. Once the password is decrypted, copy it to the clipboard.

    i. Double click the RDP connection file and paste the password from the clipboard into the password field.

  2. Open PowerShell window and run the command: Resolve-DnsName corp.example.com

You should receive the DNS response with correct IP addresses for your Active Directory domain.

Congratulations.

In this lab, you learned how you can enable hybrid DNS name resolution between DNS zones hosted in your on-premises infrastructure and AWS. In the lab, we used AWS Managed Microsoft AD DNS servers to simulate your on-premises DNS infrastructure. If you wanted to envision the integration with your on-premises environment, you would specify the IP addresses for your on-premises DNS servers instead of the AWS Managed Microsoft AD DNS servers.

To enable your on-premises DNS servers to resolve any AWS Private Zones hosted on Route 53, you would create DNS forwarding rules in your on-premises DNS infrastructure. For the DNS domains hosted on Route 53, forward to the IP addresses of the Inbound Endpoints.