AWS Networking & Content Delivery

Navigating DNS Management: Unveiling Amazon Route 53 Inbound and Outbound Resolver Endpoints

5 min read
Updated June 23, 2025
4,797 characters

Guide: Hybrid DNS with Route 53 Resolver Endpoints

This guide explains how to create a seamless, hybrid DNS solution using Amazon Route 53 Resolver endpoints, based on the concepts from the Tutorials Dojo article and supplemented with detailed explanations.

The Challenge: Seamless DNS Across VPC and On-Premises

In a hybrid cloud environment, you have resources in your on-premises data center and in your AWS VPC. A common challenge is enabling DNS name resolution to work seamlessly between them.

  • How can your on-premises servers resolve the names of your EC2 instances in a private VPC?

  • How can your EC2 instances in a VPC resolve the names of servers in your on-premises data center (e.g., server1.onprem.corp)?

Route 53 Resolver endpoints are designed specifically to solve this problem by creating a bridge between your on-premises DNS infrastructure and the Amazon Route 53 Resolver.

Part 1: Resolving AWS Resources from Your On-Premises Network (Inbound Flow)

This flow allows your on-premises clients to resolve AWS domain names, such as EC2 instance private DNS names or records in a Route 53 private hosted zone.

What is a Route 53 Inbound Endpoint?

An Inbound Endpoint is a set of Elastic Network Interfaces (ENIs) that are placed in your VPC's subnets. Each ENI gets a private IP address. These IPs act as targets for DNS queries coming from your on-premises network into your VPC.

How it Works: The Query Path

  1. Configuration:

    • You create a Route 53 Inbound Endpoint in your target AWS region, placing its ENIs in different Availability Zones for high availability.

    • In your on-premises DNS server (e.g., BIND, Windows Server DNS), you configure a conditional forwarder. This rule says, "For any DNS query ending in .amazonaws.com (or your private hosted zone name), forward it to the IP addresses of the Route 53 Inbound Endpoint ENIs."

  2. The DNS Query Flow:

    • An on-premises client asks its local DNS server to resolve ec2-instance.us-east-1.compute.internal.

    • The on-premises DNS server sees the conditional forwarding rule and sends the query over the VPN or Direct Connect to the IP address of one of the Inbound Endpoint ENIs.

    • The Inbound Endpoint receives the query and passes it to the Route 53 Resolver.

    • The Route 53 Resolver finds the correct IP address for the EC2 instance and sends the answer back along the same path.

Part 2: Resolving On-Premises Resources from Your VPC (Outbound Flow)

This flow allows your EC2 instances and other AWS resources to resolve names that only your on-premises DNS servers know about.

What is a Route 53 Outbound Endpoint?

An Outbound Endpoint is the source for DNS queries leaving your VPC and going to your on-premises network. Like the inbound endpoint, it consists of ENIs placed in your VPC. It acts as the "front door" for outbound DNS traffic.

The Key: Resolver Rules for Conditional Forwarding

An Outbound Endpoint on its own does nothing. It must be used with Resolver Rules. A rule defines which DNS queries should be forwarded to your on-premises DNS servers.

  • A typical rule would be: "For any query matching *.onprem.corp, forward it to the IP addresses of my on-premises DNS servers."

How it Works: The Query Path

  1. Configuration:

    • You create a Route 53 Outbound Endpoint in your VPC.

    • You create one or more Resolver Rules that specify the domain names to be forwarded and the IP addresses of your on-premises DNS servers.

    • You associate these rules with your VPC.

  2. The DNS Query Flow:

    • An EC2 instance in your VPC makes a DNS query for server1.onprem.corp.

    • The query is automatically sent to the VPC's Route 53 Resolver.

    • The Resolver checks its list of Resolver Rules. It finds a match for *.onprem.corp.

    • Based on the rule, the Resolver forwards the query to the Outbound Endpoint.

    • The Outbound Endpoint sends the query over the VPN or Direct Connect to the specified on-premises DNS server.

    • The on-premises DNS server resolves the name and returns the answer along the same path.

    • If no rule matches (e.g., for www.google.com), the Route 53 Resolver handles it normally by querying public DNS servers.

Key Requirements

  • Private Connectivity: A stable network connection between your on-premises network and your VPC is required. This must be an AWS Site-to-Site VPN or AWS Direct Connect.

  • Network ACLs and Security Groups: The security groups associated with your Resolver Endpoint ENIs, as well as your network ACLs, must allow DNS traffic (UDP/TCP on port 53) between your on-premises DNS server IPs and the Endpoint ENI IPs.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All