AWS Internal DNS does not resolve

awsdns

I was trying to migrate an A record from a public DNS to an internal DNS in Route 53. I figured something like this would be fairly straightforward:

Remove A record for server foo.bar.net (Public DNS).
Add A record for server foo.internalbar.net (Internal DNS).
Modify Bastion host's resolv.conf to search for internalbar.net (both Bastion host and foo are in the same VPC). Only difference is that foo is part of a private subnet attached to a NATd Gateway.

After this is done, I cannot resolve foo when running host in the bastion host. I was getting:

host foo
Host foo.internalbar.net not found: 3(NXDOMAIN)

According to documentation, Route 53 would work within 60 seconds. I waited for about 10 minutes until I decided to revert the change. For what it's worth, the bastion host was a part of the public DNS. I even went as far as adding the bastion host to the internal DNS (it's private IP). Can anyone tell me what may have been the issue with me adding foo to the internal DNS server?

Best Answer

I'm going to make a couple of assumptions about your current setup:

You are using a VPC that has DNS resolution enabled. If it's not, visit your VPC dashboard and enable it for the VPC in question.
The EC2 instance in question is in the VPC above. The subnet and routes in this case are irrelevant, as long as local routing is in tact.
The Route53 hosted zone for internalbar.net is a "private hosted zone" (based on your comment about "internally" hosted DNS).
A record foo exists in the above zone.

So, now for the answer! Your DNS sever in /etc/resolv.conf should be the 2nd usable address in your VPC's CIDR block. For example, if your VPC's CIDR is 10.0.0.0/16, then the resolver would be 10.0.0.2.

Once you do that, it will resolve.

Reference for reserved VPC addresses: VPC Subnets

Related Solutions

How to reset or lower the serial used in BIND DNS server’s SOA record

"BIND's internal libraries" don't care what the serial number is. It's only agreement between the master server and slave servers that matters. In other words, BIND will happily let you decrease the serial number in a zone file without complaint.. It's just that the slaves would no longer receive updates.

Zone file serial numbers are unsigned 32-bit integers and they wrap around the largest possible 32-bit unsigned integer. So there is a way to decrease the serial number by incrementing it repeatedly until it rolls over and becomes closer to zero. There is a maximum amount by which you can increment it at a time, so you have to do this iteratively in multiple steps:

Increase the serial number by a large increment but no more than 2147483647
Wait for all of the slave servers to catch up and be up to date with the current SOA.
Repeat

You can always pick an increment such that you don't need to iterate more than twice.

Follow this HOWTO.

OpenVPN, resolvconf, and DNS domain resolution

You can set up a local caching server that will watch your /etc/resolv.conf, as it's changed by resolvconf scripts, and try get its answers from all nameservers listed there.

On many systems it'll be enough to install the dnsmasq package, in addition to resolvconf.

The defaults should "just work" provided that no-resolv and no-poll directives are absent from /etc/dnsmasq.conf and lo interface is at the top of /etc/resolvconf/interface-order. If an upstream nameserver returns some arbitrary IPs for unresolvable addresses, strict-order in dnsmasq.conf can help. Your /etc/resolv.conf should only show nameserver 127.0.0.1.

If you prefer a fixed setup or connect to multiple unrelated networks and want to avoid leaking your private network names too all nameservers you should configure dnsmasq to query specific servers based on domain:

# /etc/dnsmasq.conf

# site1 servers
nameserver=/site1.internal.domain/172.16.1.101
nameserver=/site1.internal.domain/172.16.1.102

# site2 servers
nameserver=/site2.internal.domain/192.168.1.5

# default OpenNIC (optional, unless 'no-resolv' is set). 
server=51.15.98.97
server=172.104.136.243

For more info on dnsmasq options see here: http://oss.segetech.com/intra/srv/dnsmasq.conf

Best Answer

Related Solutions

How to reset or lower the serial used in BIND DNS server’s SOA record

OpenVPN, resolvconf, and DNS domain resolution

Related Question