I am new to Amazon Web Service (AWS)
I just created a VPC and and a subnet, which is inside it.
However, I could not resolve any hostnames in this subnet (when I stay in any hosts in this subnet)
[ec2-user#ip-192-168-1-86 ~]$ nslookup
> ip-192-168-1-86.ec2.internal
Server: 192.168.1.2
Address: 192.168.1.2#53
** server can't find ip-192-168-1-86.ec2.internal: NXDOMAIN
I have double check that DNS resolution is enabled for my VPC
and private DNS hostname is correct
enter image description here
From the AWS DNS documentation
When you launch an instance into a VPC, it always receives a private
DNS hostname.
The DNS resolution depends on the enableDnsHostnames and enableDnsSupport flags.
By default, both attributes are set to true in a default VPC or a VPC
created by the VPC wizard. By default, only the enableDnsSupport
attribute is set to true in a VPC created any other way.
Depending upon the enableDnsHostnames and enableDnsSupport flags following rules apply:
If both attributes are set to true, the following occurs:
Instances with a public IP address receive corresponding public DNS hostnames.
The Amazon Route 53 Resolver server can resolve Amazon-provided private DNS hostnames.
If either or both of the attributes is set to false, the following occurs:
Instances with a public IP address do not receive corresponding public DNS hostnames.
The Amazon Route 53 Resolver cannot resolve Amazon-provided private DNS hostnames.
Instances receive custom private DNS hostnames if there is a custom domain name in the DHCP options set. If you are not using the Amazon Route 53 Resolver server, your custom domain name servers must resolve the hostname as appropriate.
If enableDnsHostnames and enableDnsSupport are true then check if the DHCP option set is modified.
Go to the VPC service page in the AWS Console. Select Your VPCs to see all the VPCs.
Select the VPC, and select Actions, Edit DHCP options set.
In the DHCP options set list, select the default DHCP option list, and then choose Save.
On the VPC service page, you can find the DHCP Options Sets where you can get the Default DHCP Options Sets.
It would take a couple of hours for the running EC2 instances to reflect this without a restart. You can also renew the IP lease by the following command.
Windows: ipconfig /renew
Linux: sudo dhclient -r
Or restart the instance, if you can't wait.
Check private dns hostnames supported by each region on documentation below.
A private (internal) DNS hostname resolves to the private IPv4 address of the instance. The private DNS hostname takes the form ip-private-ipv4-address.ec2.internal for the us-east-1 Region, and ip-private-ipv4-address.region.compute.internal for other Regions (where private-ipv4-address is the reverse lookup IP address). You can use the private DNS hostname for communication between instances in the same network, but we can't resolve the DNS hostname outside the network that the instance is in.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html
Related
from AWS doc, it states that the Amazon DNS Server would be the Base of your VPC network range plus two. I'm confused if this server is also the same AmazonProvidedDNS that you set in your dhcp option sets.
The Amazon DNS server does not reside within a specific subnet or Availability Zone in a VPC. It's located at the address 169.254.169.253 (and the reserved IP address at the base of the VPC IPv4 network range, plus two) and fd00:ec2::253. For example, the Amazon DNS Server on a 10.0.0.0/16 network is located at 10.0.0.2. For VPCs with multiple IPv4 CIDR blocks, the DNS server IP address is located in the primary CIDR block.
Is the "Amazon DNS server" and AmazonProvidedDNS the same?
For example if my VPC's base network range is 10.0.0.0 if I run a DNS query against 10.0.0.2, I'm querying against the AmazonProvidedDNS (aka Amazon DNS Server)?
AmazonProvidedDNS is an option in the default DHCP option set. DHCP option sets are settings for your VPC where you can specify IP addresses for things such as domain name server, NTP server and NetBIOS server.
From the docs linked above:
Domain name servers: The DNS servers that will be used to resolve the IP address of the host. In the default option set, the only value is AmazonProvidedDNS. The string AmazonProvidedDNS maps to Amazon's DNS server.
Essentially this means, if you have the default DHCP options set used for your VPC and you are querying the network address + 2 address (for example: 10.0.0.2), you will be querying the Amazon DNS servers.
If you have time, you could also watch this AWS re:Invent 2019: Deep dive on DNS in the hybrid cloud presentation about how DNS works inside an AWS VPC.
The doc Amazon VPC > DNS Attributes > Amazon DNS Server says
The Amazon DNS server does not reside within a specific subnet or
Availability Zone in a VPC. It's located at the address
169.254.169.253 (and the reserved IP address at the base of the VPC's IPv4 network range, plus two) and fd00:ec2::253.
It's not in this subnet's private IPv4 CIDR (e.g. a /24) unless this subnet happens to be the one allocated at the bottom of the VPC's CIDR (e.g. a /16). To simplify finding the DNS server, or for use before you get an address assignment via DHCP or PD, it's also available at static link-local IPv4 and IPv6 addresses.
Similarly, the Amazon Time Sync Service is available early in the boot process at static link-local addresses, 169.254.169.123 and fd00:ec2::123, but it's different: Why doesn't it have its own symbol AmazonProvidedNTP in the default DHCP option set, analogous to AmazonProvidedDNS? Why don't the DNS and NTP services share the same addresses on the same ENI? And why isn't NTP also available at the VPC's IPv4 base plus 2 (or whatever)? Good questions!
I have created a VPC with a disabled DNS Hostnames and then launching a new Instance onto this VPC but every time I check the instance.private_dns_name using boto3, it always returns a name. Should this be happening?
The option gives you a public DNS name, not the Private one. See the documentation.
If both options are turned off, then the public DNS is not given to the instances and also Amazon DNS server will not resolve the private DNS hostnames. But still, the private DNS name is given.
enableDnsHostnames
Indicates whether instances with public IP addresses get corresponding public DNS hostnames.
If this attribute is true, instances in the VPC get public DNS hostnames, but only if the enableDnsSupport attribute is also set to true.
enableDnsSupport
Indicates whether the DNS resolution is supported.
If this attribute is false, the Amazon-provided DNS server that resolves public DNS hostnames to IP addresses is not enabled.
If this attribute is true, queries to the Amazon provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of the VPC IPv4 network range plus two will succeed. For more information, see Amazon DNS Server.
You can turn off the private DNS name by modifying the DHCP option set as mentioned the other documentation.
I have
an AWS VPC myvpc with a default DHCP Options Set, setting a custom nameserver
a Route53 Private Hosted Zone myzone.local attached to this VPC
As I am not using the AWS Nameservers in the DHCP Options Set, I can't resolve myzone.local from any EC2 instance in myvpc. That is intended behavior.
There is a single EC2 instance in that VPC that runs a DNS server. I want that instance to forward queries for myzone.local to the Route53 Private Zone.
How can I get a hostname that may be used as forward resolver by my instance? I was trying to use the public Route53 Nameservers and hoping that - if queried from myvpc they'd answer for myzone.local, but that wasn't the case.
The IP address of the VPC resolver is 169.254.169.253 in every VPC.
Or, you can use the address at +2 from the base of the VPC CIDR, so for 10.0.0.0/16 the resolver would be 10.0.0.2, and for 172.31.0.0/16 the resolver would be 172.31.0.2.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html#AmazonDNS
The two are equivalent, and both will provide resolution of names from a private hosted zone attached to the VPC.
enableDnsSupport needs to be enabled for the VPC.
I set up an AWS instance in my VPC with a private IP address -- no public IP address. This is going to be my MongoDB instance and will only be accessed by other servers within the VPC. I established a successful VPN connection and can SSH using Putty to the instance using the private IP address - "10.0.0.95". So far, so good. I noticed that the private IP address also has a Private DNS - "ip-10-0-0-95.internal". I tried using the Private DNS to access the instance through the VPN but got this Putty error "Unable to open connection to ip-10-0-0-95.ec2.internal. Host does not exist". Clearly, I can use the 10.0.0.95 IP address but was surprised that the private DNS name did not work. How come?
You should enable the DNS resolution for your VPC, or you won't be able to resolve internal DNS names.
To use private hosted zones, you must set the following Amazon VPC settings to true:
enableDnsHostnames
enableDnsSupport
Steps to enable DNS resolution:
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Your VPC.
Select the VPC from the list, choose Actions and either Edit DNS Resolution or Edit DNS Hostnames (you should enable them)
In the dialog box that opens, choose Yes, and Save.
For more info: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-dns.html#vpc-dns-updating
I have an VPC instance created on AWS. But it doesn't have a public DNS value as opposed to my other instance which is a straight EC2 instance.
eg ec2-45-55-79-ap-southeast-1.compute.amazonaws.com
Is there a way to assign a "Public DNS" value like the one above for my VPC instance?
Cheers to anyone who knows!!
The default public DNS name is assigned based on your VPC configuration. Make sure that the following settings are set in the VPC console (https://console.aws.amazon.com/vpc/):
DNS resolution and DNS hostnames attributes are set to True in your VPC
You have the DHCP options set with default provider AmazonProviderDNS. Something like:
domain-name = ap-southeast-1.compute.internal
domain-name-servers = AmazonProvidedDNS
More details for DHCP Options Set configuration: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_DHCP_Options.html
You need to make sure that the instance is launched into a public subnet, and then you can assign an elastic IP.