Reputation: 581
How do I get AWS Client VPN to resolve DNS using VPC-peered Private Hosted Zone
I have a VPC in my AWS account peered to a VPC of a partners account. The partner account has Route 53 resolvers to resolve DNS within domain.com to IPs in their peered VPC.
I've associated my VPC with their private hosted zone.
Within my VPC (for example SSH into an EC2 instance), the DNS resolution for foo.bar.domain.com works great - I'm resolving & connecting to the resources in their VPC as expected.
However, when I'm running and AWS client VPN on my personal machine, I'm unable to resolve the foo.bar.domain.com to the same private IP address through the VPN. So, for example, running a development server on my machine connected to the partner VPC URLs is failing.
I've tried hosting a DNS server in the VPC with a zone forwarding rule pointing to the Route 53 IPs.
I've tried setting the VPN DNS server IP to the Route 53 IPs.
But none of that has worked. Help would be appreciated?
Upvotes: 20
Views: 19750
Answers (4)
Reputation: 63
AWS Client VPN DNS resolution may fail if you're using federated authentication and the signing certificate on your Identity Provider (IdP) has expired.
Upvotes: 0
Reputation: 1104
I have spent a lot of time on this. My case was actually different. I had multiple Private Hosted Zones and VPN Client Endpoint. However, one of the hosted zones had the top level domain as local, which created problem.
When I have tested the second private hosted zone with the dig command, everything seems to be working. Keep in mind for not creating the TLD as local.
Just adding the +2 address to the DNS is solving the problem!
Upvotes: 0
Reputation: 31
I spent a day on this, added the +2, tried wide open rules/NACLS etc., and still could not get DNS to resolve locally. For me, the reason was that my local IP range (on my LAN from Xfinity) used the 10.0.0.0/16 cidr block that I was also using for my VPC. So the 10.0.0.2 DNS server worked fine in the VPC, but just not from my local device when connected to the VPN. There may be a better resolution for this, but I changed my VPC Cidr to 10.200.0.0/16, my DNS server on the VPN endpoint to 10.200.0.2 and voila, local DNS resolution.
Upvotes: 3
Reputation: 581
The answer was simpler than I thought: I just had to set the DNS server in the AWS Client VPN Endpoint settings to be the private IP address of my VPC's DNS (which is always the VPC's CIDR +2).
From the AWS docs:
If you're unsure about which IP address to specify for the DNS servers, specify the VPC DNS resolver at the .2 IP address in your VPC.
Upvotes: 38
Related Questions
- AWS Client VPN DNS Resolution for RDS
- Custom DNS server on AWS
- AWS VPN Client Endpoint DNS resolution timeout with openVPN
- Cannot reach my route 53 private hosted zone from a ec2 instance
- DNS resolution in aws from EC2
- DNS names within VPN VPC
- How to connect a machine on VPN to AWS PHZ DNS?
- Unable to resolve Private Hosted Zone in VPC
- Will Route53 private hosted zone work over AWS VPC Peering
- Route53 DNS name from private VPC EC2 DNS name