Forwarding DNS queries to AWS VPC resolvers

Late last year AWS launched Private DNS within Amazon VPC as part of their Route 53 service. This allows customers to create DNS entries that are only visible within a VPC (or group of VPCs). It’s also possible to have ‘split horizon’ DNS where servers inside a VPC get different answers to the same queries versus users on the public Internet.


The DNS resolver for a VPC is always at the +2 address, so if the VPC is 172.31.0.0/16 then the DNS server will be at 172.31.0.2. Amazon and the major OS distros do a good job of folding that knowledge into VM images, so pretty much everything just works with that DNS, which will resolve any private zones in Route 53 and also resolve names for public resources on the Internet (much like an ISP’s DNS does for home/office connections).

There are a few use cases for using the VPC DNS from outside of the VPC, particularly when connecting things into a VPC using a VPN. Here’s where things get a little tricky, as the VPC DNS is set up in such a way that it won’t answer queries from outside its own network.

The answer is to run a DNS forwarder within the VPC, and connect to the VPC DNS through that. Digital Ocean provide a good how to guide to configuring Bind on Ubuntu to do the job.

If you’re using our VNS3 to provide the VPN connection then DNS forwarding can be handled by a container. We provide instructions and a download on GitHub.

By: Chris Swan