AWS Networking & Content Delivery

Resolve Route 53 Private Hosted Zones from an On-premises Network

3 min read
Updated June 23, 2025
2,470 characters

Guide: Resolving Private Hosted Zones via a Custom DNS Forwarder

This guide summarizes a specific method for resolving records in an Amazon Route 53 Private Hosted Zone from an on-premises network, as detailed in the Tutorials Dojo article. This approach uses a self-managed EC2 instance as a DNS forwarder.

The Goal: Accessing Private AWS DNS from On-Premises

A Route 53 Private Hosted Zone (e.g., mycorp.internal) allows you to manage private DNS for your AWS resources, but by default, it only resolves DNS queries that originate from within its associated VPC.

The challenge is to allow users and servers on your on-premises network (connected via VPN or Direct Connect) to resolve these private hostnames (e.g., database.mycorp.internal) to their private IP addresses within the VPC.

Architecture Overview: The EC2 BIND Forwarder Method

This tutorial outlines a "do-it-yourself" solution by configuring a Linux EC2 instance to act as a DNS forwarder.

  1. An EC2 instance running Ubuntu and the BIND DNS software is deployed into the target VPC.

  2. The on-premises DNS server is configured with a conditional forwarding rule. This rule sends any query for the private domain (e.g., mycorp.internal) to the private IP address of the EC2 forwarder instance.

  3. The EC2 BIND forwarder is configured to accept queries only from the trusted on-premises network. It then forwards these queries to the standard VPC DNS Resolver.

  4. The VPC DNS Resolver can resolve names in the Private Hosted Zone and returns the answer, which travels back along the same path.

Step-by-Step Implementation

Prerequisites

  • A VPC connected to your on-premises network via AWS Site-to-Site VPN or Direct Connect.

  • A Route 53 Private Hosted Zone associated with your VPC.

  • An existing DNS record in the private zone (e.g., database.mycorp.internal pointing to an EC2 private IP) that you want to resolve.

  • DNS Hostnames and DNS Resolution enabled for the VPC.

Step 1: Launch and Secure the EC2 Forwarder

  1. Launch a new Ubuntu EC2 instance into the same VPC as your private resources. Note its private IP address.

  2. Create a Security Group for this instance. Add an inbound rule to allow traffic on TCP and UDP port 53 from the IP address range of your on-premises network.

Step 2: Install BIND

  1. SSH into the newly created Ubuntu instance.

  2. Install the BIND DNS software package:

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All