I have
an AWS VPC myvpc with a default DHCP Options Set, setting a custom nameserver
a Route53 Private Hosted Zone myzone.local attached to this VPC
As I am not using the AWS Nameservers in the DHCP Options Set, I can't resolve myzone.local from any EC2 instance in myvpc. That is intended behavior.
There is a single EC2 instance in that VPC that runs a DNS server. I want that instance to forward queries for myzone.local to the Route53 Private Zone.
How can I get a hostname that may be used as forward resolver by my instance? I was trying to use the public Route53 Nameservers and hoping that - if queried from myvpc they'd answer for myzone.local, but that wasn't the case.
The IP address of the VPC resolver is 169.254.169.253 in every VPC.
Or, you can use the address at +2 from the base of the VPC CIDR, so for 10.0.0.0/16 the resolver would be 10.0.0.2, and for 172.31.0.0/16 the resolver would be 172.31.0.2.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html#AmazonDNS
The two are equivalent, and both will provide resolution of names from a private hosted zone attached to the VPC.
enableDnsSupport needs to be enabled for the VPC.
Related
I am new to Amazon Web Service (AWS)
I just created a VPC and and a subnet, which is inside it.
However, I could not resolve any hostnames in this subnet (when I stay in any hosts in this subnet)
[ec2-user#ip-192-168-1-86 ~]$ nslookup
> ip-192-168-1-86.ec2.internal
Server: 192.168.1.2
Address: 192.168.1.2#53
** server can't find ip-192-168-1-86.ec2.internal: NXDOMAIN
I have double check that DNS resolution is enabled for my VPC
and private DNS hostname is correct
enter image description here
From the AWS DNS documentation
When you launch an instance into a VPC, it always receives a private
DNS hostname.
The DNS resolution depends on the enableDnsHostnames and enableDnsSupport flags.
By default, both attributes are set to true in a default VPC or a VPC
created by the VPC wizard. By default, only the enableDnsSupport
attribute is set to true in a VPC created any other way.
Depending upon the enableDnsHostnames and enableDnsSupport flags following rules apply:
If both attributes are set to true, the following occurs:
Instances with a public IP address receive corresponding public DNS hostnames.
The Amazon Route 53 Resolver server can resolve Amazon-provided private DNS hostnames.
If either or both of the attributes is set to false, the following occurs:
Instances with a public IP address do not receive corresponding public DNS hostnames.
The Amazon Route 53 Resolver cannot resolve Amazon-provided private DNS hostnames.
Instances receive custom private DNS hostnames if there is a custom domain name in the DHCP options set. If you are not using the Amazon Route 53 Resolver server, your custom domain name servers must resolve the hostname as appropriate.
If enableDnsHostnames and enableDnsSupport are true then check if the DHCP option set is modified.
Go to the VPC service page in the AWS Console. Select Your VPCs to see all the VPCs.
Select the VPC, and select Actions, Edit DHCP options set.
In the DHCP options set list, select the default DHCP option list, and then choose Save.
On the VPC service page, you can find the DHCP Options Sets where you can get the Default DHCP Options Sets.
It would take a couple of hours for the running EC2 instances to reflect this without a restart. You can also renew the IP lease by the following command.
Windows: ipconfig /renew
Linux: sudo dhclient -r
Or restart the instance, if you can't wait.
Check private dns hostnames supported by each region on documentation below.
A private (internal) DNS hostname resolves to the private IPv4 address of the instance. The private DNS hostname takes the form ip-private-ipv4-address.ec2.internal for the us-east-1 Region, and ip-private-ipv4-address.region.compute.internal for other Regions (where private-ipv4-address is the reverse lookup IP address). You can use the private DNS hostname for communication between instances in the same network, but we can't resolve the DNS hostname outside the network that the instance is in.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html
This question is in the context of Private DNS hostnames.
In AWS, for each subnet in a VPC, the IP address of the DNS server is the base of the VPC network range plus two - Curious to understand
If it is a single DNS server for the entire VPC with interfaces in each subnet or
There are separate instances of DNS servers for each subnet
If there are separate instances of DNS servers for each subnet, how does the Private DNS name of an EC2 instance in a different subnet (within same VPC) gets resolved?
There is only one DNS server per VPC, and its private IP address is the base of the VPC network range plus two. [ref]
I have a VPC in my AWS account peered to a VPC of a partners account. The partner account has Route 53 resolvers to resolve DNS within domain.com to IPs in their peered VPC.
I've associated my VPC with their private hosted zone.
Within my VPC (for example SSH into an EC2 instance), the DNS resolution for foo.bar.domain.com works great - I'm resolving & connecting to the resources in their VPC as expected.
However, when I'm running and AWS client VPN on my personal machine, I'm unable to resolve the foo.bar.domain.com to the same private IP address through the VPN. So, for example, running a development server on my machine connected to the partner VPC URLs is failing.
I've tried hosting a DNS server in the VPC with a zone forwarding rule pointing to the Route 53 IPs.
I've tried setting the VPN DNS server IP to the Route 53 IPs.
But none of that has worked. Help would be appreciated?
The answer was simpler than I thought: I just had to set the DNS server in the AWS Client VPN Endpoint settings to be the private IP address of my VPC's DNS (which is always the VPC's CIDR +2).
From the AWS docs:
If you're unsure about which IP address to specify for the DNS servers, specify the VPC DNS resolver at the .2 IP address in your VPC.
Client VPN Endpoints > Modify Client VPN Endpoint > Other optional parameters -> Enable DNS Servers -> IP Address
Our aim is to get our Elastic Beanstalk setups to route traffic through a NAT gateway as we require for certain traffic connecting to API's which require IP whitelisting. Rather than make modifications to the current setup, I have created a separate/isolated VPC & EC2 instance to familiarise and test the setup. However I am yet to get the setup working as desired.
Here is the setup
VPC (vpc-77049811) with CIDR of 10.0.0.0/16
Internet gateway (igw-4d4b212a) assigned to mentioned VPC
Subnet (subnet-096d8a53) with CIDR of 10.0.1.0/24
NAT Gateway (nat-00bb49204627de7e6) attached to mentioned subnet and assigned Elastic IP
Route table attached to mentioned VPC and associate with mentioned subnet
1x EC2 Instance assigned to VPC and its own Elastic IP and Disabled Source/Destination Check
Route Table Setup
10.0.0.0/16 local
0.0.0.0/0 igw-4d4b212a
With the above setup, and am able to log into the server and make a curl request to get the servers public IP address (curl icanhazip.com). As soon as I add a rule to the route table for the url's resolved IP's to route through the NAT gateway though, I am unable to ping or request the curl request as it will timeout.
Rules added to route table which do not work
45.63.64.111/32 nat-00bb49204627de7e6
144.202.71.30/32 nat-00bb49204627de7e6
Not sure if I've overlooked something here or maybe I have misunderstood the concept and use cases for the NAT gateway?
This is public IP 45.63.64.111. You need IGW to reach to this traffic.
You either do that by directly redirecting your traffic to IGW
OR
You do that by directing to NAT then further directing that traffic to IGW
Directing to IGW part is missing.
Nat gateway is used for EC2 in private subnets (which does not have IGW attached to it). In scenario above, EC2 is in public subnet so ideally it does not need NAT.
Here is what I would do to use NAT-
1. Place EC2 in private subent. and have a Route table where all outgoing traffic to nat-gateway.
2. Nat-gateway which is in public subnet will forward your traffic to IGW.
It seems like you have misunderstood the purpose of a NAT.
Its purpose is to provide outbound internet access to instances in a private subnet without allowing any inbound connectivity - i.e. a subnet where the routing table does NOT have an entry for:
0.0.0.0/0 igw-4d4b212a
If you want to restrict access from your EC2 instance to specific IP addresses, put your NAT in the public subnet, create a private subnet, and put your instance in the private subnet. Then add the two routes to the route table associated with the private subnet:
45.63.64.111/32 nat-00bb49204627de7e6
144.202.71.30/32 nat-00bb49204627de7e6
If you simply want to restrict access of your EC2 instance to a couple of IP addresses, you can only create routes for those addresses:
45.63.64.111/32 igw-4d4b212a
144.202.71.30/32 igw-4d4b212a
Be aware that with this last option, your instance can be reached from the internet if you have rules open in your security groups.
I have an VPC instance created on AWS. But it doesn't have a public DNS value as opposed to my other instance which is a straight EC2 instance.
eg ec2-45-55-79-ap-southeast-1.compute.amazonaws.com
Is there a way to assign a "Public DNS" value like the one above for my VPC instance?
Cheers to anyone who knows!!
The default public DNS name is assigned based on your VPC configuration. Make sure that the following settings are set in the VPC console (https://console.aws.amazon.com/vpc/):
DNS resolution and DNS hostnames attributes are set to True in your VPC
You have the DHCP options set with default provider AmazonProviderDNS. Something like:
domain-name = ap-southeast-1.compute.internal
domain-name-servers = AmazonProvidedDNS
More details for DHCP Options Set configuration: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_DHCP_Options.html
You need to make sure that the instance is launched into a public subnet, and then you can assign an elastic IP.