Home › Forums › AWS › AWS Certified Solutions Architect Professional › SAP-C01 Practice Test 2
-
Hi – The question mentions that “The Solutions Architect configured the two domain controllers as the DHCP options set associated with the VPC”. The first correct option is: “Create an Amazon Route 53 Resolver for the inbound endpoint in the VPC. Create a conditional forwarding rule to the Active Directory server for the AD domain. Set the AmazonProvidedDNS as the DHCP options set for the VPC”. The explanation “You want to have an inbound endpoint DNS resolver to resolve domain names for internal AWS resources such as EC2 instances or records in a Route 53 private hosted zone” talks about the inbound endpoint but does not talk about why we need to resort back to the original DHCP options set for the VPC. Please help me understand what is actually happening to the DHCP options set.
Regards, Solomon.
-
Hello Solomon,
Thank you for your feedback.
From this statement on the question: The Solutions Architect configured the two domain controllers as the DHCP options set associated with the VPC.
– we can conclude that the solutions architect is configuring a custom AD server / DNS server inside the VPC on AWS. Usually, when you deploy your own AD server/DHCP server, there will be two servers for redundancy.
Since the solutions architect is planning to use its custom different DNS server (and not AWS), you will not be able to resolve internal AWS domains such as names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) or RDS endpoints (myexampledb.a1b2c3d4wxyz.us-west-2.rds.amazonaws.com)
Therefore, in this scenario, all clients should just forward all DNS queries to the AD server. Then the AD server will forward any non-authoritative DNS queries to the VPC resolver.
First, the AD server will try to resolve all DNS queries by itself. Then if it encounters anything that it is not familiar with, like names for EC2 instances (ec2-192-0-2-44.compute-1.amazonaws.com) or RDS endpoints (myexampledb.a1b2c3d4wxyz.us-west-2.rds.amazonaws.com), it will send it to the R53 resolver.
As for endpoints:
Inbound endpoint: DNS resolvers on your network can forward DNS queries to Route 53 Resolver via this endpoint – This allows your DNS resolvers to easily resolve domain names for AWS resources such as EC2 instances or records in a Route 53 private hosted zone.
Outbound endpoint: Resolver conditionally forwards queries to resolvers on your network via this endpoint – To forward selected queries, you create Resolver rules that specify the domain names for the DNS queries that you want to forward (such as example.com), and the IP addresses of the DNS resolvers on your network that you want to forward the queries to. If a query matches multiple rules (tutorialsdojo.com, portal.tutorialsdojo.com), Resolver chooses the rule with the most specific match (portal.tutorialsdojo.com) and forwards the query to the IP addresses that you specified in that rule.
Thus, we need to create an inbound endpoint, not an outbound endpoint.
Thank you again.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Regards,
Kenneth Samonte @ Tutorials Dojo
-
Thanks Kenneth for your reply. I also raised a query on Slack that you have answered. I am still a bit confused on this. Sorry. I will continue the conversation on slack. Thanks🙂
-
I’d like to clarify this still.
You quote
“To forward selected queries, you create Resolver rules that specify the domain names for the DNS queries that you want to forward (such as example.com), and the IP addresses of the DNS resolvers on your network that you want to forward the queries to.”
which is exactly what question asks for.
Besides you can’t create rules on inbound endpoints.
And I’ve seen this question in another practice exam and they say outbound endpoint is the right one, are you sure your test is correct?-
Hi Nikita,
The quote that Kenneth mentioned is from the OFFICIAL AWS documentation:
To forward selected queries, you create Resolver rules that specify the domain names for the DNS queries that you want to forward (such as example.com), and the IP addresses of the DNS resolvers on your network that you want to forward the queries to. If a query matches multiple rules (example.com, acme.example.com), Resolver chooses the rule with the most specific match (acme.example.com) and forwards the query to the IP addresses that you specified in that rule.
Reference:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html
Second, you can actually add a conditional rule to your Outbound endpoint in Amazon Route 53. This is supported by none other than the official AWS docs itself: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html#resolver-overview-forward-vpc-to-network
Regards,
Jon Bonso
-
Log in to reply.