VPC DNS
In this, we will learn about VPC DNS.
- DNS resolves names used on Internet to their corresponding IP addresses.
- DNS hostname is a name that uniquely and absolutely names a computer. Morever, this is composed of a host name and a domain name.
- DNS servers resolve DNS hostnames to their corresponding IP addresses.
- Public IPv4 addresses enable communication over Internet
- private IPv4 addresses enable communication within network of instance (EC2-Classic or VPC).
- two kinds of subnets in AWS VPC
- public subnet – attached to an Internet Gateway. adds a routing table entry to subnet’s routing table sending all Internet traffic to an Internet Gateway.
- private subnet – if traffic from subnet destined for Internet is sent to either a NAT instance, or a AWS managed NAT device
- EC2 instance running in either subnet can choose to have a public IP address or not.
- Once you give instance a public IP address, it becomes “reachable” from Internet (or ingress) and of course can reach “Internet” resources from instance (or egress).
- During instance launch into default VPC, instance is given public and private DNS hostnames for public IPv4 and private IPv4 addresses for instance.
- If launched in non-default VPC, private and public DNS hostname given as per DNS attributes for VPC
- AWS provided private (internal) DNS hostname resolves to private IPv4 address of instance
- Private DNS hostname for communication between instances in same network can also be used but can’t resolve DNS hostname outside network that instance is in.
- Public DNS hostname is resolved to public IPv4 address of instance outside network of instance, and to private IPv4 address of instance from within network of instance.
- No DNS hostnames for IPv6 addresses.
DNS Support VPC
VPC has attributes for instances launched, on
- whether they receive public DNS hostnames corresponding to their public IP addresses
- whether DNS resolution through Amazon DNS server is supported for VPC.
| Attribute | Description |
| enableDnsHostnames | Indicates whether instances with public IP addresses get corresponding public DNS hostnames. If this attribute is true, instances in VPC get public DNS hostnames, but only if enableDnsSupport attribute is also set to true. |
| enableDnsSupport | Indicates whether DNS resolution is supported. If this attribute is false, Amazon-provided DNS server that resolves public DNS hostnames to IP addresses is not enabled. If this attribute is true, queries to Amazon provided DNS server at 169.254.169.253 IP address, or reserved IP address at base of VPC IPv4 network range plus two will succeed. |
With both attributes as true,
- Instances with a public IP address receive corresponding public DNS hostnames.
- Amazon-provided DNS server can resolve Amazon-provided private DNS hostnames.
If either or both of attributes is set to false
- Instances with a public IP address do not receive corresponding public DNS hostnames.
- Amazon-provided DNS server cannot resolve Amazon-provided private DNS hostnames.
- Instances receive custom private DNS hostnames if there is a custom domain name in DHCP options set. If you are not using Amazon-provided DNS server, custom domain name servers must resolve hostname as appropriate.
- By default, both attributes are set to true in a default VPC or a VPC created by VPC wizard.
- By default, only enableDnsSupport attribute is set to true in a VPC created any other way.
- If you use custom DNS domain names defined in a private hosted zone in Route 53, or use private DNS with interface VPC endpoints (AWS PrivateLink), you must set enableDnsHostnames and enableDnsSupport attributes to true.
DNS Limits
- EC2 instance number of packets sent to Amazon-provided DNS server, is maximum of 1024 packets per second per network interface.
- This limit cannot be increased.
- number of DNS queries per second supported by
Amazon-provided DNS server varies by
- type of query
- size of response
- protocol in use.
Simple AD flow of DNS queries originating from within the VPC.
