Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional Route 53 resolve endpoints

  • khawaja

    Member
    August 24, 2021 at 10:50 am

    A company is hosting its Active Directory service on AWS. Two domain controllers are running in the default configuration in one of the VPCs in AWS. The Solutions Architect configured the two domain controllers as the DHCP options set associated with the VPC. This should allow the resources on the VPC to get IP addresses from the domain controllers. A VPC interface endpoint is also created to allow connection to services powered by AWS PrivateLink. However, the created Amazon EC2 instances inside the VPC are not able to resolve the private endpoint addresses of other AWS resources.

    Which of the following options should the Solutions Architect implement to resolve this issue? (Select TWO.)

    Correct answers:

    Create an Amazon Route 53 Resolver for the inbound endpoint in the VPC. Create a conditional forwarding rule to the Active Directory server for the AD domain. Set the AmazonProvidedDNS as the DHCP options set for the VPC


    Reconfigure the Active Directory servers DNS services to use the newly created VPC resolver. Forward all the non-authoritative DNS queries to the VPC resolver


    The first correct answer suggests the flow below:

    ec2 DNS query -> Route 53 resolver (since it mentions AmazonProvidedDNS as the DHCP ) -> Forwards to AD domain controller. So, if route 53 is forwarding the query it would need an outbound endpoint rather than inbound.


    and if you were trying to imply that the flow is:

    ec2 DNS query -> AD domain controller -> Forwards to AD route 53 resolver.

    Then the inbound endpoint is correct but then you have to provide AD domain controller in the DHCP option set.

    Please explain.

    • This discussion was modified 3 years, 1 month ago by  khawaja.
  • Kenneth-Samonte-Tutorials-Dojo

    Member
    August 24, 2021 at 10:59 pm

    Hello khawaja,

    Thank you for your feedback.

    We can see the difference of Inbound endpoint and outbound endpoit in this AWS doc: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html

    Inbound endpoint: DNS resolvers on your network can forward DNS queries to Route 53 Resolver via this endpoint

    This allows your DNS resolvers to easily resolve domain names for AWS resources such as EC2 instances or records in a Route 53 private hosted zone.

    Outbound endpoint: Resolver conditionally forwards queries to resolvers on your network via this endpoint

    To forward selected queries, you create Resolver rules that specify the domain names for the DNS queries that you want to forward (such as example.com), and the IP addresses of the DNS resolvers on your network that you want to forward the queries to. If a query matches multiple rules (example.com, acme.example.com), Resolver chooses the rule with the most specific match (acme.example.com) and forwards the query to the IP addresses that you specified in that rule.

    On this scenario, EC2 instances within the VPC are unable to resolve the private endpoint addresses.

    Let’s further investigate the scenario, this statement on the question: The Solutions Architect configured the two domain controllers as the DHCP options set associated with the VPC.

    – we can conclude that the solutions architect is configuring a custom AD server / DNS server inside the VPC on AWS. Usually, when you deploy your own AD server/DHCP server, there will be two servers for redundancy.

    Since the solutions architect is planning to use its custom different DNS server (and not AWS), you will not be able to resolve internal AWS domains such as names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) or RDS endpoints (myexampledb.a1b2c3d4wxyz.us-west-2.rds.amazonaws.com)

    Therefore, in this scenario, all clients should just forward all DNS queries to the AD server. Then the AD server will forward any non-authoritative DNS queries to the VPC resolver.

    First, the AD server will try to resolve all DNS queries by itself. Then if it encounters anything that it is not familiar with, like names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) or RDS endpoints (myexampledb.a1b2c3d4wxyz.us-west-2.rds.amazonaws.com), it will send it to the R53 resolver.

    This situation, in essence, feels like an on-premises AD, but the instances are just inside the VPC. Therefore, we will be using an Outbound Endpoint.

    Hope this helps.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!

    Regards,

    Kenneth Samonte @ Tutorials Dojo

  • Kenneth-Samonte-Tutorials-Dojo

    Member
    August 24, 2021 at 11:02 pm

    Hello khawaja,

    Thank you for your feedback.

    We can see the difference of Inbound endpoint and outbound endpoit in this AWS doc: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html

    Inbound endpoint: DNS resolvers on your network can forward DNS queries to Route 53 Resolver via this endpoint

    This allows your DNS resolvers to easily resolve domain names for AWS resources such as EC2 instances or records in a Route 53 private hosted zone.

    Outbound endpoint: Resolver conditionally forwards queries to resolvers on your network via this endpoint

    To forward selected queries, you create Resolver rules that specify the domain names for the DNS queries that you want to forward (such as example.com), and the IP addresses of the DNS resolvers on your network that you want to forward the queries to. If a query matches multiple rules (example.com, acme.example.com), Resolver chooses the rule with the most specific match (acme.example.com) and forwards the query to the IP addresses that you specified in that rule.

    On this scenario, EC2 instances within the VPC are unable to resolve the private endpoint addresses.

    Let’s further investigate the scenario, this statement on the question: The Solutions Architect configured the two domain controllers as the DHCP options set associated with the VPC.

    – we can conclude that the solutions architect is configuring a custom AD server / DNS server inside the VPC on AWS. Usually, when you deploy your own AD server/DHCP server, there will be two servers for redundancy.

    Since the solutions architect is planning to use its custom different DNS server (and not AWS), you will not be able to resolve internal AWS domains such as names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) or RDS endpoints (myexampledb.a1b2c3d4wxyz.us-west-2.rds.amazonaws.com)

    Therefore, in this scenario, all clients should just forward all DNS queries to the AD server. Then the AD server will forward any non-authoritative DNS queries to the VPC resolver.

    First, the AD server will try to resolve all DNS queries by itself. Then if it encounters anything that it is not familiar with, like names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) or RDS endpoints (myexampledb.a1b2c3d4wxyz.us-west-2.rds.amazonaws.com), it will send it to the R53 resolver.

    Therefore, we will be using an Inbound Endpoint.

    Hope this helps.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!

    Regards,

    Kenneth Samonte @ Tutorials Dojo

  • khawaja

    Member
    August 25, 2021 at 6:38 am

    You said: “First, the AD server will try to resolve all DNS queries by itself. Then if it encounters anything that it is not familiar with, like names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) or RDS endpoints (myexampledb.a1b2c3d4wxyz.us-west-2.rds.amazonaws.com), it will send it to the R53 resolver.”

    The correct answer says the DHCP options are set to AmazonProvidedDNS. When we set AmazonProvidedDNS as the DHCP option set. The DNS calls first go to route 53 resolvers and not to the AD servers.

    Can you please clarify on this point?

  • Kenneth-Samonte-Tutorials-Dojo

    Member
    August 25, 2021 at 10:42 pm

    Hi khawaja,

    Thanks for the reply.

    All clients should just forward all DNS queries to the AD server, as should be set on their network configuration. The AD will accept all the queries and will try to resolve all DNS queries by itself. Then if it encounters anything that it is not familiar with, like names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) or RDS endpoints such as (myexampledb.a1b2c3d4wxyz.us-west-2.rds.amazonaws.com), Then the AD server will forward any non-authoritative DNS queries to the VPC resolver.

    Hope this helps.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!

    Regards,

    Kenneth Samonte @ Tutorials Dojo

  • khawaja

    Member
    August 27, 2021 at 1:39 pm

    The answer says We need to configure AmazonProvidedDNS as DHCP option set. So all queries will go to route 53 DNS resolver first.

    Can you please explain why in you last comment you are saying “All clients should just forward all requests to AD servers. “

    How is that possible if we have configure AmazonProvidedDNS as DHCP option set.

    • Kenneth-Samonte-Tutorials-Dojo

      Member
      August 31, 2021 at 11:11 pm

      Hello, Khawaja,

      This question is a custom solution as we see the server solutions architect is deploying his own AD servers.

      For this scenario, all EC2 instances will have their AD controller and DNS server setting configured on the AMI or OS level so that they will all send their DNS requests to the AD server.

      Then the AD server will try to resolve all those request by itself. If it encounters an internal amazon domain name the domain controller will forward to the Inbound resolver.

      Regards,

      Kenneth Samonte @ Tutorials Dojo

Viewing 1 - 6 of 6 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now