AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 286

You have a hybrid environment in which your VPC queries your on-premises DNS server for up resources in your environment. The EC2 instances in your VPC are unable to resolve on-premises resources.
What are two possible reasons for this problem? (Choose two.)

Answer options

• A. Your NACL is blocking UDP port 53 outbound
• B. Your security group is blocking port 53 inbound
• C. Your NACL is blocking TCP port 53 outbound.
• D. Your on-premises firewall is blocking port 443

Correct answer: A, C

Explanation

DNS queries primarily use UDP port 53, but can fall back to TCP port 53 for larger payloads. If the VPC's Network Access Control List (NACL) blocks outbound traffic on either UDP port 53 or TCP port 53, the DNS queries sent from the EC2 instances to the on-premises DNS server will fail. Inbound security groups do not block outgoing queries, and port 443 is used for HTTPS rather than DNS.