A Deep Dive into Route53 Resolver for Multi Account DNS Management
Overview:-
In this tutorial we will be going through Route53 Resolver, Inbound endpoints, Outbound endpoints, +2 Resolver, flow of resolving domains through one AWS account to another AWS account by having a Central DNS account.
Inbound Endpoints:-
It is a gateway which allows the DNS query to flow inside your DNS VPC. During the creation of inbound endpoints it creates an ENI inside your given VPC. Inbound endpoints do not have any rule, configured inside it.
Outbound Endpoints:-
It is a gateway which allows the DNS query to flow outside the DNS VPC. The ENI are created inside the given VPC. VPC should be same as the DNS server VPC. Same as inbound endpoints It also do not have any rule configured.
+2 Resolver:-
By default AWS provide a +2 resolver, means if a VPC is having CIDR Block of 10.0.0.8 then by default, AWS will provide a DNS resolver at CIDR Block of 10.0.0.2. This +2 Resolver will act as a default DNS resolver inside your VPC.
Route53 Resolver Rule:-
When the +2 resolver is not able to resolve the query then it checks for any resolver rule present. The resolver rule tell the DNS server where to send the query for the resolution of the domain name. You can also share this resolver rule to other AWS account using the AWS Resource Access Manager.
You need to have an outbound endpoint configured, which will be responsible for sending the DNS query outside of your DNS server. In the target IP address section you can give the IP address of your another DNS server or the IP address of remote endpoints.
Note that you need to select the same VPC ID which is having your inbound and outbound endpoints present. Below is the snapshot of route53 resolver rule configured for a domain name example.com.
Multi Account DNS Resolution:-
As you can see, we are having 3 AWS accounts the Central DNS account is having a DNS VPC with inbound and outbound endpoints.
The Central DNS VPC which is having a resolver rule will be handling the DNS query, for example.com. It is also having an private hosted zone created for example.com.
In the account A we are having a VPC with a compute resource also we have created a private hosted zone named as one.example.com. Also, we have the shared rule for example.com from the central DNS VPC.
In the account B we are having a VPC with a compute resource and a private hosted zone created as two.example.com. In this account also we have shared the resolver rule from the Central DNS account.
In account A and B Associate the VPC having the compute resource with the resolver rule shared cross account.
Associate the private hosted zone with DNS-VPC. This allows the centralized DNS-VPC to resolve domains in the private hosted zone and act as a DNS resolver between AWS accounts.
In account A & B create the authorization using the below command
aws route53 create-vpc-association-authorization --hosted-zone-id <hosted-zone-id> --vpc VPCRegion=<region>,VPCId=<vpc-id>using the below command
In the central account, use the below command for the authorization
aws route53 associate-vpc-with-hosted-zone --hosted-zone-id <hosted-zone-id> --vpc VPCRegion=<region>,VPCId=<vpc-id>
Now account A try to resolve the domain name as host2.two.example.com.
It will firstly check using the +2 resolver inside the VPC that if the information about this domain is present or not. It will not able to resolve so it will check for forward rule attached to the VPC.
Now, using the forward rule, it will reach to the Central DNS Account where it will come to the Outbound Endpoint.
In the rule, we have configured the target IP address as Inbound Endpoints. Here, it will route to the DNS server.
No, as we have already configured, the DNS VPC with the account B hosted zone it will able to get the information about host2.two.examples.com.
The vice versa will happen if we have tried to resolve the domain name for account A from account B.
Summary:-
In summary tutorial covers Route53 Resolver, Inbound and Outbound Endpoints, +2 Resolver, and DNS resolution flow between AWS accounts. Inbound Endpoints allow DNS queries into a DNS VPC, creating an ENI without configured rules. Outbound Endpoints facilitate DNS queries outside the DNS VPC. Resolver Rules guide DNS queries when +2 Resolver can't resolve, and they can be shared across AWS accounts. For multi-account DNS resolution, a Central DNS account manages DNS queries between accounts, involving shared rules, authorizations, and associations with private hosted zones. The tutorial concludes with a step-by-step process for resolving domain names between accounts using the configured DNS infrastructure.