MemberJune 1, 2021 at 11:57 pm
Hi – The question mentions that “The Solutions Architect configured the two domain controllers as the DHCP options set associated with the VPC”. The first correct option is: “Create an Amazon Route 53 Resolver for the inbound endpoint in the VPC. Create a conditional forwarding rule to the Active Directory server for the AD domain. Set the AmazonProvidedDNS as the DHCP options set for the VPC”. The explanation “You want to have an inbound endpoint DNS resolver to resolve domain names for internal AWS resources such as EC2 instances or records in a Route 53 private hosted zone” talks about the inbound endpoint but does not talk about why we need to resort back to the original DHCP options set for the VPC. Please help me understand what is actually happening to the DHCP options set.
MemberJune 3, 2021 at 9:26 pm
Thank you for your feedback.
From this statement on the question: The Solutions Architect configured the two domain controllers as the DHCP options set associated with the VPC.
– we can conclude that the solutions architect is configuring a custom AD server / DNS server inside the VPC on AWS. Usually, when you deploy your own AD server/DHCP server, there will be two servers for redundancy.
Since the solutions architect is planning to use its custom different DNS server (and not AWS), you will not be able to resolve internal AWS domains such as names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) or RDS endpoints (myexampledb.a1b2c3d4wxyz.us-west-2.rds.amazonaws.com)
Therefore, in this scenario, all clients should just forward all DNS queries to the AD server. Then the AD server will forward any non-authoritative DNS queries to the VPC resolver.
First, the AD server will try to resolve all DNS queries by itself. Then if it encounters anything that it is not familiar with, like names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) or RDS endpoints (myexampledb.a1b2c3d4wxyz.us-west-2.rds.amazonaws.com), it will send it to the R53 resolver.
As for endpoints:
Inbound endpoint: DNS resolvers on your network can forward DNS queries to Route 53 Resolver via this endpoint – This allows your DNS resolvers to easily resolve domain names for AWS resources such as EC2 instances or records in a Route 53 private hosted zone.
Outbound endpoint: Resolver conditionally forwards queries to resolvers on your network via this endpoint – To forward selected queries, you create Resolver rules that specify the domain names for the DNS queries that you want to forward (such as example.com), and the IP addresses of the DNS resolvers on your network that you want to forward the queries to. If a query matches multiple rules (tutorialsdojo.com, portal.tutorialsdojo.com), Resolver chooses the rule with the most specific match (portal.tutorialsdojo.com) and forwards the query to the IP addresses that you specified in that rule.
Thus, we need to create an inbound endpoint, not an outbound endpoint.
Thank you again.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Kenneth Samonte @ Tutorials Dojo
MemberJune 7, 2021 at 6:16 pm
Thanks Kenneth for your reply. I also raised a query on Slack that you have answered. I am still a bit confused on this. Sorry. I will continue the conversation on slack. Thanks🙂
Log in to reply.