CloudFormation: DNS Forwarder
Deploy Route 53 resolver rules to forward DNS resolution
Published Dec 17, 2024
There are times when the need arises to enable private DNS resolution from within an AWS VPC to DNS servers (BIND hosts, domain controllers) sitting in another VPC, a different Cloud network, or on-premises. This is so that the resources inside the source VPC can connect to machines in the destination network using their hostnames instead of their IP addresses. The main prerequisite for this is to have the VPC connected to the destination network either through DirectConnect, VPN, or PrivateLink.
Once connectivity is established, you will have to configure Route 53 resolver rules and associated components, including a security group and endpoints to enable DNS resolution using the destination servers. The solution at https://gitlab.com/fer1035_aws/cloudformation/cloudformation-dns-forwarder helps to do this consistently. There are several information that you will need to prepare beforehand to be able to use it:
- The destination domain to resolve - if your destination machines have hostnames such as machine1.example.com, then this domain should be example.com.
- The IP addresses of the destination DNS servers - the solution can take up to 2 IP addresses for redundancy, but 1 will work. You will also need to make sure that the addresses are reachable from the source VPC.
- The source VPC and subnet IDs - the IDs of the VPC and subnets in which your resources are running. The solution requires that your VPC has 2 subnets to be used for this purpose.
- Ingress CIDR - the CIDR range to allow for inbound DNS traffic. This can be the CIDR range of your VPC.
- Egress CIDR - the CIDR range to allow for outbound DNS traffic. This can be the CIDR range of your destination network. Since the destination is connected to the source VPC, their CIDR ranges should not overlap.
Once you have all the information above, you can simply download the template and use it to launch a deployment in CloudFormation.