How do I configure AWS EC2 instances to selectively bypass default DNS resolver in all regions?

vomitHatSteve

12/2/23, 7:57 PM

I have a network of AWS EC2 instances. Most of them are using the default VPC's DNS resolver to prevent exfiltration and to resolve internal domains (using a custom TLD). That all works fine.

However, there is one (Ubuntu) instance that needs to use a general, public resolver to reach the Internet at large (e.g. 8.8.8.8)

I managed to get this work in us-east-1 by replacing /etc/systemd/resolved.conf with

[Resolve]
DNS=8.8.8.8 208.67.222

and adding an /etc/systemd/resolved.conf.d/MYTLD.conf

[Resolve]
Domains=MYTLD
DNS=10.6.0.2

After restarting systemd-resolved, the instance resolves all domains just fine. But when I apply this exact same configuration to a nigh-identical network in us-east-2, public DNS doesn't work.

One suggestion I found on StackExchange was to symlink /etc/resolv.conf to /run/systemd/resolve/resolv.conf. That made public DNS start resolving, but the internal TLD stopped.

How do I get DNS to consistently resolve in any region?

237

1 + 0

domain-name-system

amazon-web-services

aws-ec2

aws-vpc

Score:0

Server

vomitHatSteve

12/5/23, 9:12 PM

I have found my solution.

The DNS Resolver was set to default block (obviously. That was the point of this exercise.) But the response was set to NODATA. This created a race condition: systemd-resolve uses Link-Local Multicast Name Resolution to get DNS results. This means it simultaneously queried AWS internal server and one of the public servers. LLMNR returns either the first successful result it gets or the last failure (if all results are failures)

A NODATA result from the DNS Resolver is technically a success, so that result was returned if it arrived first. Changing the action to NXDOMAIN - which is a failure result from systemd-resolve's perspective - fixed the problem.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How do I configure AWS EC2 instances to selectively bypass default DNS resolver in all regions?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.