I made a DNS forwarder with BIND on my aws infrastructure, because we wanted internal DNS resolution that will only work when the developers are on the OpenVPN connection (the internal DNS entries from Route53).
Basically what I did was configured the BIND server to forward queries to the internal VPC DNS server (thats allocated at the +2 IP address), and I also configured the OpenVPN server to push that configuration to the local machines.
What I don't get is how will that BIND DNS forwarder be configured for multiple VPC-s and other aws regions? For example, how do I configure my VPC-s that are in the Frankfurt area to use my BIND server that's at a specific VPC in that area for internal DNS resolving? I don't think it will just magically work together 🙂
I used this blog post as a guide, but I want to use this for all the VPC-s (ec2 instances) that are in my specific aws region.
All the examples I've seen have just one VPC in question, like this example from aws.
The net effect that I'm looking for is that I can use private Route53 dns entries on my local machine when I'm using VPN, and also that the ec2 instances (in different VPC-s) in my aws region can find each other using just the private Route53 dns entries (so that I can avoid using IP addresses in my applications).
tnx,
Tom
Best Answer
Hybrid DNS solutions are complicated when using services in AWS. This is one weakness with AWS.
Note: All of your VPCs should have non overlapping CIDR blocks.
If your VPCs are in the same region:
This is the simplest case. Peer your VPCs together and enable DNS resolution support for the peered VPCs. Your current DNS forwarder will now work within these VPCs.
DNS Resolution Support for a VPC Peering Connection
If your VPCs are in different regions:
You can still peer your VPCs but the Amazon DNS servers at x.2 in each region will not be talking to each other. You will need to setup a forwarder in each region and then connect using OpenVPN to that region. Option: setup a conditional forwarder setup with details on each regions DNS forwarder.
Route 53
You could also just use Route53 with private zones. Add each VPC to your private zone. Provided that you do not have overlapping CIDR blocks for each VPC you will be able to use unique private IP addresses across your VPCs.
Note: VPCs do not support transitive routing. This means that the VPC with your OpenVPN server will need a direct peering connection to each VPC that you want to route to. Otherwise you could setup an OpenVPN server in each region and then connect to that region each time you want to manage systems local to that region. Each region will need its own DNS forwarder.