I have an AWS VPC with Private Hosted Zone (PHZ) setup so all machines launched within the VPC can resolve my console-defined domains, for example a1.mydomain.
I would like for on-site machines at the end of my VPN (not in VPC but connected to a VPN server machine in the VPC) to be able to resolve these PHZ domains as well.
Is this possible?
In order to resolve PHZ, the request must come from the DNS resolver of the VPC:
Setup a DNS server on the VPN instance that forwards queries of a1.mydomain to the VPC DNS resolver which is the third address of your VPC network (.2)
Make sure to setup the DNS server to forward other queries to a public DNS server like Google (8.8.8.8/8.8.4.4) or CloudFlare (1.1.1.1)
Setup the VPN to push its own private IP as a DNS server to users
On-premise machines connected to the VPN will be able to resolve records in PHZ
Using a bind9 + OpenVPN works quite well
Related
I have one privately hosted zone in my vpc using Route 53. I also have one client vpn connection to that vpc, which is functioning normally.
I want the client to get access to my website hosted using private zone in private subnet through their browser when they are connected to the VPN Client.
I have enabled "DNS Configuration" in the Client VPN Settings. But my client is not able to access the hostname of the webitse hosted in the private hosted zone. Though they are able to access the website using client vpn connection but by using ip address. I want them to access it using hostname.
I have tried defining the DNS ip in client vpn settings as
AWS Provided DNS (VPC CIDR + 2)
2.Route 53 inbound endpoint ips.
Both did not work. Help me out on this.
Take a look at this guide, it might be useful for you, but as far as I understand you need to use direct connect or AWS VPN. Cause even if your client is inside the VPC by your custom VPN it still does not use the same DNS resolver https://aws.amazon.com/premiumsupport/knowledge-center/route53-resolve-with-inbound-endpoint/
I'm currently learning AWS and I'm stuck. I created Amazon Elasticsearch Service domain in my VPC, in subnet A (one of 3 default subnets). The access is available through VPC, not from the Internet. I wanted to connect to it from my computer (to create indexes, mappings, etc.) I've read that one of the ways to do that is to connect to VPC using VPN.
So, I configured AWS Client VPN Endpoint using subnet A and connected from my computer (openVPN). I'm connected, I see my connection in AWS console. Connection looks ok.
I used Kibana url from AWS console: https://vpc-blablabla.eu-central-1.es.amazonaws.com/_plugin/kibana/ and there is no connection ('ERR_CONNECTION_TIMED_OUT').
AES domain uses security group with ALL income/outcome traffic allowed. The DNS resolves domain from the Kibana url properly (It's from subnet A). Should my IP in VPN match subnet's A CIDR? Now it's completely different.
Subnet A CIDR: 172.31.0.0/20
VPN Client IPv4 CIDR: 10.5.0.0/20
VPN current IP: 10.5.0.2
Is that a cause of the problem?
Thank you #jordanm it was caused by wrong routing on my local machine.
To indicate the network to use I had to add route:
sudo ip route add 172.31.0.0/20 via 10.5.0.2 dev tun0
Now it works perfectly.
I have a VPC in my AWS account peered to a VPC of a partners account. The partner account has Route 53 resolvers to resolve DNS within domain.com to IPs in their peered VPC.
I've associated my VPC with their private hosted zone.
Within my VPC (for example SSH into an EC2 instance), the DNS resolution for foo.bar.domain.com works great - I'm resolving & connecting to the resources in their VPC as expected.
However, when I'm running and AWS client VPN on my personal machine, I'm unable to resolve the foo.bar.domain.com to the same private IP address through the VPN. So, for example, running a development server on my machine connected to the partner VPC URLs is failing.
I've tried hosting a DNS server in the VPC with a zone forwarding rule pointing to the Route 53 IPs.
I've tried setting the VPN DNS server IP to the Route 53 IPs.
But none of that has worked. Help would be appreciated?
The answer was simpler than I thought: I just had to set the DNS server in the AWS Client VPN Endpoint settings to be the private IP address of my VPC's DNS (which is always the VPC's CIDR +2).
From the AWS docs:
If you're unsure about which IP address to specify for the DNS servers, specify the VPC DNS resolver at the .2 IP address in your VPC.
Client VPN Endpoints > Modify Client VPN Endpoint > Other optional parameters -> Enable DNS Servers -> IP Address
I have a site to site VPN connection from my on prem network to the VPC RDS resides in. I am trying to connect to mysql using the DNS endpoint RDS provides. I am unable to connect to the DNS endpoint but I am able to connect using the private ip that the endpoint resolves to.
I assume that the DNS is internal to AWS and my on prem network can not resolve it.
The RDS instance is publicly accessible.
How could I connect using the DNS endpoint?
Your assumption is right and you need to configure on-premise DNS resolution to internal AWS DNS. I didn't do that before, but Resolving DNS Queries Between VPCs and Your Network - Amazon Route 53 can help you :-)
Also, you can just open RDS to public internet, but it's not safe (and not your case, I assume)
I have a GCP VPC and it is connected to on-prem using Public Cloud Interconnect.
Traffic flow between onprem and the VPC is ok. All routes and firewalls are configured correctly.
Now I would like to have the company DNS servers available for VMs in my VPC.
My 3 DNS servers are
10.17.121.30 dns-01.net.company.corp
10.17.122.10 dns-02.net.company.corp
10.17.122.170 dns-03.net.company.corp
Now I have done the below config in Cloud DNS in GCP.
The DNS name is company.corp
The "In use by" is referring my VPC.
The IPs 10.17.121.30, 10.17.122.10 and 10.17.122.170 are on-prem and are accessible from the VPC over port 53.
But after having done all the above, if I try to connect to any on-prem machine using its name, I get
telnet: could not resolve example-server.corp.sap/443: No address associated with hostname
The above request is being made from a VM inside the VPC.
Which leads me to believe that my DNS servers might not be correctly configured. What have I missed here ?
If you are intending to have your VMs able to resolve hostnames within your on-premises network, then you will need to make use of DNS forwarding. You would need to configure your private zone as a forwarding zone. Once this is done you can use your forwarding zone to query on-premises servers.