Near the bottom of the implementation section of the Scenario 3 VPC example there's a section on DNS:
In scenario 3, you need a DNS server that enables your public subnet to communicate with servers on the Internet, and you need another DNS server that enables your VPN-only subnet to communicate with servers in your network.
Your VPC automatically has a set of DHCP options with domain-name-servers=AmazonProvidedDNS. This is a DNS server that Amazon provides to enable any public subnets in your VPC to communicate with the Internet over an Internet gateway. You must provide your own DNS server and add it to the list of DNS servers your VPC uses. Sets of DHCP options aren't modifiable, so you must create a set of DHCP options that includes both your DNS server and the Amazon DNS server, and update the VPC to use the new set of DHCP options.
Is this correct? The multiple name server addresses in the domain-name-servers
option correspond to the nameserver
entries that are added to /etc/resolv.conf
in an EC2 instance in the VPC. According to the Linux resolv.conf man page the nameserver
entries are tried in order, with the next name server queried after the current one times out:
The algorithm used is to try a name server, and if the query times out, try the next, until out of name servers, then repeat trying all the name servers until a maximum number of retries are made.
So my understanding is that multiple nameserver
entries should be used for redundancy rather than to specify different authoritative name servers.
By specifying a custom name server which holds private DNS entries for servers in the corporate network as well as the standard Amazon DNS, you could get unexpected behaviour.
For example, if the corporate network contains name servers which are authoritative for acme.com
and a DNS lookup is made for a private database running on db.acme.com
, the Amazon name server is likely to respond indicating that the subdomain doesn't exist, whereas the custom name server would have responded with the private IP of the database, had it been asked. Because the Amazon name server didn't time out, the custom name server was never queried.
We can almost get the behaviour we want by switching the order of the name servers, but now in the case that the custom name server fails, the Amazon resolver won't have the answer either.
This could be OK for some use cases, as it allows a service to resolve internal host names as long as the custom name server is available; if it isn't, internal lookups fail but public lookups can still succeed using Amazon DNS. However, if you also need to look up records from private hosted zones in Route 53 you'd have the opposite problem to before - a query to the custom name server would return no results when a query to Amazon may have returned successfully.
Additionally, if a host can't reach the custom name server, DNS queries will be delayed by as long as the DNS resolution timeout (1 second when I tried dig
on an Amazon Linux EC2 instance). This is reasonable if the name server is unavailable, but if the instance is running in a subnet which isn't allowed access to the VPN then these lookups will always fail, so DNS will always be laggy.
This is the scenario I'm trying to find a solution for - I want to be able to run some services in a private subnet which has access to services in the corporate network and therefore needs to resolve DNS via the VPN, and other services to run in a public (or at least, "less private") subnet which doesn't have access to the VPN, and can use the Amazon DNS server instead. Currently I need to ensure that everything in the VPC can route to our name servers running in the corporate network and all DNS queries need to traverse that network, even though for many services they never need to resolve internal host names.
I'm no expert on DNS so there's a good chance I've got some terminology wrong and may well be completely misunderstanding something; if so I'd greatly appreciate it being pointed out so I can improve on how we're resolving DNS. However, I think there is some kind of inconsistency at least, as the documentation for scenario 3 seems to be the only place the idea of combining a custom name server and the Amazon name server is mentioned, all other documentation I could find around the domain-name-servers
DHCP option refer to "IP addresses of up to four domain name servers, or AmazonProvidedDNS".
If the documentation is indeed wrong to suggest using custom name servers with the Amazon name servers, can you suggest a solution I could use to achieve what I'm after, please? It looks as though the Route 53 Resolver could be what I need, but I was hoping there'd be something simpler and cheaper.