Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I get AWS Client VPN to resolve DNS using VPC-peered Private Hosted Zone

I have a VPC in my AWS account peered to a VPC of a partners account. The partner account has Route 53 resolvers to resolve DNS within domain.com to IPs in their peered VPC.

I've associated my VPC with their private hosted zone.

Within my VPC (for example SSH into an EC2 instance), the DNS resolution for foo.bar.domain.com works great - I'm resolving & connecting to the resources in their VPC as expected.

However, when I'm running and AWS client VPN on my personal machine, I'm unable to resolve the foo.bar.domain.com to the same private IP address through the VPN. So, for example, running a development server on my machine connected to the partner VPC URLs is failing.

I've tried hosting a DNS server in the VPC with a zone forwarding rule pointing to the Route 53 IPs.

I've tried setting the VPN DNS server IP to the Route 53 IPs.

But none of that has worked. Help would be appreciated?

like image 589
Jesse Daugherty Avatar asked Aug 14 '20 02:08

Jesse Daugherty


People also ask

How do I resolve resource records in my private hosted zone using client VPN?

To resolve the resource records, configure the custom DNS server as a forwarder to forward DNS queries for the private hosted domain to the default VPC DNS resolver. To use the custom DNS server for all resources in the VPC, be sure to configure the DHCP options accordingly.

How does DNS work with my AWS client VPN endpoint?

You can specify DNS server IP addresses when you create a new Client VPN endpoint. To do this, specify the IP addresses in the "DNS Server IP address" parameter using the AWS Management Console, the AWS CLI, or the API. You can also modify an existing Client VPN endpoint to specify DNS server IP addresses.

How does AWS DNS resolution work?

The DNS resolver for the ISP finally has the IP address that the user needs. The resolver returns that value to the web browser. The DNS resolver also caches (stores) the IP address for example.com for an amount of time that you specify so that it can respond more quickly the next time someone browses to example.com.


1 Answers

The answer was simpler than I thought: I just had to set the DNS server in the AWS Client VPN Endpoint settings to be the private IP address of my VPC's DNS (which is always the VPC's CIDR +2).

From the AWS docs:

If you're unsure about which IP address to specify for the DNS servers, specify the VPC DNS resolver at the .2 IP address in your VPC.

Client VPN Endpoints > Modify Client VPN Endpoint > Other optional parameters -> Enable DNS Servers -> IP Address

like image 98
Jesse Daugherty Avatar answered Sep 26 '22 17:09

Jesse Daugherty