Overview
Amazon Route 53 has now provided a new functionality that allows users to forward DNS queries to a specific network. This will enable users who have this service to point their DNS traffic to the Umbrella resolvers and apply settings to their Amazon VPC (Virtual Private Cloud).
Setting Up Your Route 53 Resolver
To forward your DNS requests to the Umbrella resolvers, you'll need to add a rule to forward all of your DNS queries to your network:
- Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.
- Navigate to Rule > Create Rule
- Specify "forward" as the value
- Add the root domain "." (dot) for the domain name
- Associate the rule with all of the VPCs for which you want this to apply to
- Enter 208.67.222.222 and 208.67.220.220 as your Target IP Address
Note that the "dot rule" will not apply to some AWS internal domain names and record names in private hosted zones. If you want to forward these inquiries to an external network or to Umbrella for any reason, you will need to set up a separate rule using the specific internal domain names. If you run into issues setting up your Route 53 resolver, you can also visit the Amazon Route 53 Developer Guide for more details.
Once your Route 53 Resolver is configured to forward DNS traffic to Umbrella, you'll need to create a Network in the Umbrella dashboard with the IP address of the AWS Outbound endpoint you configured.
Comments
2 comments
The guide MISS a step as indicated in https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html#resolver-overview-forward-vpc-to-network-domain-name-matches
"Note
If you create a conditional forwarding rule for "." (dot) or "com", we recommend that you also create a system rule for amazonaws.com. (System rules cause Resolver to locally resolve DNS queries for specific domains and subdomains.) Creating this system rule improves performance, reduces the number of queries that are forwarded to your network, and reduces Resolver charges." and it also DOES NOT BREAK YOUR VPC endpoints
Second point, the IPs to register in Umbrella console are the public IPs of the NAT instance/gateway/service connected to the subnets where the endpoints have been created.
Note: this will forward everything to Umbrella.
The creation of the "." forwarding rule overrides all other rules.
If you have an environment where you want some domains like yourcompany.com forwarded on on-prem resolvers, this will send those requests to Umbrella.
So the setup suggested here did not work for us. We want R53 to send our internal requests to our private DNS servers, and we want R53 to send all others to Umbrella.
It seems the only way to do this is to use VAs...
Please sign in to leave a comment.