Jesse Daugherty
Jesse Daugherty

Reputation: 581

How do I get AWS Client VPN to resolve DNS using VPC-peered Private Hosted Zone

I have a VPC in my AWS account peered to a VPC of a partners account. The partner account has Route 53 resolvers to resolve DNS within domain.com to IPs in their peered VPC.

I've associated my VPC with their private hosted zone.

Within my VPC (for example SSH into an EC2 instance), the DNS resolution for foo.bar.domain.com works great - I'm resolving & connecting to the resources in their VPC as expected.

However, when I'm running and AWS client VPN on my personal machine, I'm unable to resolve the foo.bar.domain.com to the same private IP address through the VPN. So, for example, running a development server on my machine connected to the partner VPC URLs is failing.

I've tried hosting a DNS server in the VPC with a zone forwarding rule pointing to the Route 53 IPs.

I've tried setting the VPN DNS server IP to the Route 53 IPs.

But none of that has worked. Help would be appreciated?

Upvotes: 20

Views: 19750

Answers (4)

Venki Vijay
Venki Vijay

Reputation: 63

AWS Client VPN DNS resolution may fail if you're using federated authentication and the signing certificate on your Identity Provider (IdP) has expired.

Upvotes: 0

Hubert Bratek
Hubert Bratek

Reputation: 1104

I have spent a lot of time on this. My case was actually different. I had multiple Private Hosted Zones and VPN Client Endpoint. However, one of the hosted zones had the top level domain as local, which created problem.

When I have tested the second private hosted zone with the dig command, everything seems to be working. Keep in mind for not creating the TLD as local.

Just adding the +2 address to the DNS is solving the problem!

Upvotes: 0

Chris Spence
Chris Spence

Reputation: 31

I spent a day on this, added the +2, tried wide open rules/NACLS etc., and still could not get DNS to resolve locally. For me, the reason was that my local IP range (on my LAN from Xfinity) used the 10.0.0.0/16 cidr block that I was also using for my VPC. So the 10.0.0.2 DNS server worked fine in the VPC, but just not from my local device when connected to the VPN. There may be a better resolution for this, but I changed my VPC Cidr to 10.200.0.0/16, my DNS server on the VPN endpoint to 10.200.0.2 and voila, local DNS resolution.

Upvotes: 3

Jesse Daugherty
Jesse Daugherty

Reputation: 581

The answer was simpler than I thought: I just had to set the DNS server in the AWS Client VPN Endpoint settings to be the private IP address of my VPC's DNS (which is always the VPC's CIDR +2).

From the AWS docs:

If you're unsure about which IP address to specify for the DNS servers, specify the VPC DNS resolver at the .2 IP address in your VPC.

Client VPN Endpoints > Modify Client VPN Endpoint > Other optional parameters -> Enable DNS Servers -> IP Address

Upvotes: 38

Related Questions