Route 53 conditional forwarders

Lab Objective: Create two conditional forwarding rules 1) Default 2) amazonaws.com (forwarded to SYSTEM)

Lab Prerequisite: * Route 53 Resolver endpoints * AWS Organizations * Dedicated DNS account (network or shared services accounts can be used) *
* Access to Resource Access Manager (RAM) and create a new resource share

What is Route 53 Conditional Forwarder Rules?

As per this announcement: > Route 53 Resolver rules allow customers to conditionally forward DNS requests from your VPC to an on-premises DNS resolver.

This rule can apply to a single VPC or many VPCs. The same announcement further elaborates:

Rules are applied directly to your Amazon VPC and can be shared across multiple accounts. These rules will allow you to forward names like “example.com” across AWS Direct Connect and AWS Managed VPN so that it can resolve DNS names that are served from your data center.

The rules combined with the endpoints can accept the DNS queries from on-prem as well: > Conversely, you can create a Route 53 Resolver endpoint that serves as a forwarding target for your on-premises DNS server. This way workloads in your data center can resolve DNS names from services such as Route 53 Private DNS, AWS Private Link, Amazon Elastic File System, AWS Active Directory Service, and more.

Step-by-step guide 1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/. 2. In the navigation pane, choose Rules. 3. On the navigation bar, choose the Region where you want to create the rule. 4. Choose Create rule. 5. Specify these values

Name: amazon-aws
Rule type: System
VPCs that use this rule: list and select VPC(s) that will use this rule.  For the lab, select all VPCs that have been created.

Once all values are filled out, the screen should look like this: Click Submit

This rule will ensure that the resolution of *.amazonaws.com will not be forwarded anywhere but remain within the associated VPC. This is extremely important as the resources like ELB’s IP address can change underneath. In addition, VPC endpoints in each VPC must be resolved locally otherwise, it can reflect the truth of another VPC.

We need to create another rule to handle all other domains: 1. In the navigation pane, choose Rules. 2. On the navigation bar, choose the Region where you want to create the rule. 3. Choose Create rule.

Name: default-resolution
Rule type: Forward
Domain name: .
VPCs that use this rule: list and select VPC(s) that will use this rule.  For the lab, select all VPCs that have been created.
Outbound endpoint: Click on the drop down list and choose the outbound endpoint created in the previous lab
Target IP addresses: Type in the IP addresses of the Inbound endpoints created in the previous lab

Click Submit

Share the rule via Resource Access Manager: 1. Sign in to the AWS Management Console and open the resource access manager console at https://console.aws.amazon.com/ram/ 2. Click “Create resource share”

Name: Route 53 rule share
Resources: click on the drop down list and select "Resolver Rules" then select the two rules created above
Principals: check off "Allow external accounts" and manually type in the AWS Organizations ID (starts with o-).  If not known, go to the AWS Organizations console to retrieve the Organizations ID.

Click Create resoure share

For testing and validation, turn to the next lab