AWS DNS Query

Imagine you have created a virtual private cloud (VPC) in AWS that via a VPN or DirectConnect connection is an extension of your existing private network. Your VPC has no direct access to or from the Internet.

Within that VPC you have launched an RDS database instance. This is allocated an hostname in a similiar format to the following :: mydbinstancename.c9ijkuircri8.eu-west-1.rds.amazonaws.com:1433. This RDS instance is not publicly accessible.

If you connect to that hostname from within your VPC the name is resolved to an AWS internal IP and connection is successful. However if you try to connect to that hostname from the other end of your VPN connection in your private network, there is no way to resolve this to an IP address and the connection will not be initiated.

  • The IP address assigned to the AWS RDS instance can change at any time, therefore we can not create a static record in our internal DNS to resolve to this hostname.
  • This hostname is resolved within the VPC by querying the AWS internal DNS servers. But you cannot reference the AWS internal DNS servers from your internal DNS servers as conditional forwarders as you have not IP or resolvable name to reference.

That is the problem we address here. You need to be able to resolve this RDS instance hostname to an IP address using a DNS server within your VPC that is addressable by an IP address. We can use that addressable DNS server to create a conditional forwarder on your internal DNS for the relevant domain. In our case that domain is eu-west-1.rds.amazonaws.com, as this limits the scope to the service RDS and the region EU-West-1.

First we need to create an EC2 instance inside your VPC with a specified private IP address and install DNS server. You can do this manually or using a CloudFormation template. The relevant Powershell command to install DNS Server and associated management tools is: <Install-WindowsFeature -Name DNS -IncludeManagementTools>. Allow access to this DNS server over for DNS queries from your internal network.

Now configure your internal DNS servers, I’m assuming this is part of a Microsoft Windows Active Directory environmnet. Add a Conditional Forwarder to your DNS for the following;
– Domain = eu-west-1.rds.amazonaws.com
– Forward to IP address = ‘private IP address assigned to the DNS server you created in your VPC’

This should allow resolution of AWS internal hostnames for RDS database instances on your private network on the other end of a VPN or DX connection.