Networking

What Is the VPC .2 Resolver? - AWS Internal DNS and Its Relationship with Route 53 Resolver

Learn what the DNS resolver at the CIDR+2 address inside a VPC actually is, how it works with private hosted zones, how Route 53 Resolver endpoints enable hybrid DNS, and how to use DNS query logs.

約 6 分で読めます

What Lives at the CIDR+2 Address in a VPC

When you create a VPC, the second address in the CIDR block (10.0.0.2 for a 10.0.0.0/16 VPC) is reserved as a DNS resolver. If you check /etc/resolv.conf on an EC2 instance, you will find this address listed as the nameserver. This .2 resolver is a managed DNS service called Route 53 Resolver. DNS queries from instances are sent to this .2 resolver, and Route 53 Resolver handles name resolution. Route 53 Resolver performs different processing depending on the query content. For domains in private hosted zones associated with the VPC, it returns records from the private hosted zone. For AWS internal service endpoints (such as ec2.ap-northeast-1.amazonaws.com), it resolves using AWS internal DNS. For all other domains, it resolves using public DNS (Route 53 public hosted zones or internet DNS). This routing happens automatically and requires no user configuration.

Private Hosted Zones - DNS That Only Works Inside a VPC

Route 53 private hosted zones are DNS zones that can only be resolved from within a VPC. For example, if you create a private hosted zone for internal.example.com and set up a record that resolves api.internal.example.com to 10.0.1.100, instances within the VPC can access the internal service at api.internal.example.com, but it cannot be resolved from the internet. Private hosted zones can be associated with multiple VPCs. If you associate the same private hosted zone with your development, staging, and production VPCs, you can use unified internal DNS names across environments. However, if you need different IP addresses for each environment, you need to create separate private hosted zones per environment. An interesting property of private hosted zones is that they can use the same domain name as a public hosted zone. If both a public and private hosted zone exist for example.com, queries from within the VPC will prioritize the private hosted zone. This is known as "split-horizon DNS."

Route 53 Resolver Endpoints - Enabling Hybrid DNS

When connecting on-premises networks to a VPC via Direct Connect or VPN, DNS name resolution becomes a challenge. You may need on-premises servers to resolve domains in VPC private hosted zones, and conversely, VPC instances to resolve on-premises Active Directory domains. Route 53 Resolver endpoints solve this problem. Inbound endpoints accept queries from on-premises DNS servers and forward them to the VPC's .2 resolver. You configure conditional forwarders on your on-premises DNS server for VPC private domains, pointing to the inbound endpoint's IP addresses. Outbound endpoints forward queries from within the VPC to on-premises DNS servers. Route 53 Resolver rules are configured to forward queries for specific domains (e.g., corp.internal) to on-premises DNS servers. Endpoints create ENIs in each AZ, ensuring multi-AZ redundancy. Pricing is $0.125 per ENI per hour plus $0.40 per million DNS queries.

DNS Query Logs - Visualizing DNS Activity in Your VPC

Route 53 Resolver DNS query logs record all DNS queries within a VPC, capturing which instance queried which domain and when. From a security perspective, DNS query logs are extremely valuable. Malware sometimes uses DNS to communicate with C2 (Command and Control) servers (DNS tunneling). Analyzing DNS query logs can detect suspicious queries to unusual domains. For example, a high volume of queries to random subdomain strings (a1b2c3d4.evil.com) is a sign of DNS tunneling. Query logs can be sent to one of three destinations: CloudWatch Logs, S3, or Kinesis Data Firehose. CloudWatch Logs is suited for real-time analysis, S3 + Athena for long-term storage and large-scale analysis, and Kinesis for streaming analysis. GuardDuty automatically analyzes DNS query logs and detects threats such as cryptocurrency mining, C2 communication, and data exfiltration. If GuardDuty is enabled, there is rarely a need to manually analyze DNS query logs.

DNS Pitfalls - enableDnsSupport and enableDnsHostnames

VPCs have two DNS-related settings, and misconfiguring them will break DNS resolution. enableDnsSupport (default: true) enables the VPC's .2 resolver. Setting it to false means instances in the VPC cannot use the .2 resolver and will be unable to resolve names unless a custom DNS server is configured. enableDnsHostnames (default: false; true for default VPCs) automatically assigns DNS hostnames (ec2-1-2-3-4.compute-1.amazonaws.com) to instances with public IP addresses. If this setting is false, private hosted zone associations will not work. Both enableDnsSupport and enableDnsHostnames must be true to use private hosted zones. Another pitfall is DHCP option sets. The DNS server address distributed to VPC instances is controlled by the DHCP option set. If you change the DNS server to an on-premises DNS via a custom DHCP option set, the .2 resolver will no longer be used, and private hosted zones will not resolve. To systematically learn VPC DNS design, specialized books (Amazon) can be a helpful reference.

Related Services

Amazon Route 53A highly available Domain Name System (DNS) and domain registration serviceAmazon VPCBuild a logically isolated virtual network on AWS

Related Articles

The Story Behind Route 53's Name and DNS Trivia - Why Port 53, and Why UDPStarting with how Route 53 got its name from port number 53 and America's Route 66, this article explores why DNS uses UDP port 53, and what happens behind the scenes during DNS resolution.Why Is the Default VPC CIDR /16? - IP Address Design Trivia and Common PitfallsLearn why the default VPC CIDR is set to /16, the history of RFC 1918 private address space, the 5 reserved IP addresses in each subnet, and common CIDR design mistakes.Amazon VPC Network Design - Subnet Architecture and NAT Gateway OptimizationLearn how to design public/private subnet separation, layered security group management, and reduce NAT Gateway costs with Gateway VPC Endpoints.

More on This Topic

Building a Service Mesh with AWS App Mesh - Controlling and Observing Microservice CommunicationLearn how to declaratively configure canary deployments, retry policies, and mTLS encryption using Envoy sidecars, and visualize service dependencies with X-Ray integration.Service Discovery with AWS Cloud Map - Dynamic Name Resolution for MicroservicesDynamically discover microservice endpoints using DNS-based and API-based approaches. Learn how to automate service registration and deregistration through integration with ECS and EKS.How CloudFront's 600+ PoPs Work - Anycast Routing and the Cache HierarchyLearn how CloudFront routes user requests to the nearest PoP using Anycast, the two-tier structure of edge locations and regional edge caches, and the design factors that determine cache hit rates.Dedicated Connection Design - Achieving Stable Private Network Connectivity with Direct ConnectLearn about dedicated connection design with AWS Direct Connect, including choosing between dedicated and hosted connections, redundancy configurations, and achieving stable private network connectivity through VPC integration.Building Dedicated Connections with AWS Direct Connect - Redundancy Design and Traffic ControlDesign redundant dedicated connections and connect to VPCs across multiple regions with Direct Connect Gateway. This article also covers bandwidth aggregation with LAG and MACsec encryption.Elastic IP Address Management and Design - Static IP Usage and Cost OptimizationLearn about Elastic IP allocation, EC2 association, cost implications of unused EIPs, and alternative approaches to consider.Why ELB Has Three Types - The Design Rationale Behind ALB, NLB, and CLBExplore why ALB, NLB, and CLB (Classic) coexist rather than being unified into a single service, examining OSI model layers, performance characteristics, and historical context.Global Network Optimization with AWS Global Accelerator - Low-Latency Delivery and FailoverLearn how to route traffic onto the AWS global network using Anycast IPs, design endpoint groups, and achieve failover through health checks.

Similar Articles and Services

The Story Behind Route 53's Name and DNS Trivia - Why Port 53, and Why UDPStarting with how Route 53 got its name from port number 53 and America's Route 66, this article explores why DNS uses UDP port 53, and what happens behind the scenes during DNS resolution.Domain Registration and DNS Migration with Amazon Route 53 - Registrar Transfers and Zone ConfigurationA comprehensive walkthrough covering domain registration, transfers from other registrars, public and private hosted zone design, and enabling DNSSEC.AWS Cloud MapA service that provides service discovery for microservices, resolving service locations via DNS or APIService Discovery - Automating Microservice Connectivity with AWS Cloud MapLearn how to build service discovery with AWS Cloud Map. Covers DNS-based and API-based service detection, ECS/EKS integration, and App Mesh connectivity.