AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 369

You use a VPN to extend your corporate network into a VPC. Instances in the VPC are able to resolve resource records in an Amazon Route 53 private hosted zone. Your on-premises DNS server is configured with a forwarder to the VPC DNS server IP address. On-premises users are unable to resolve names in the private hosted zone, although instances in a peered VPC can.
What should you do to provide on-premises users with access to the private hosted zone?

Answer options

• A. Create a proxy resolver within the VPC. Point the on-premises forwarder to the proxy resolver.
• B. Modify the network access control list on the VPC to allow DNS queries from on-premises systems.
• C. Configure the on-premises server as a secondary DNS for the private zone. Update the NS records.
• D. Update the on-premises forwarders with the four name servers assigned to the private hosted zone.

Correct answer: A

Explanation

The Amazon-provided Route 53 DNS resolver (at the .2 VPC IP address) does not accept direct queries originating from outside the VPC, which is why on-premises clients cannot resolve private hosted zone names directly. Setting up an inbound proxy resolver (or a Route 53 Resolver Inbound Endpoint) within the VPC acts as an intermediary that can accept on-premises queries and forward them to the local VPC DNS. Other options like modifying NACLs, setting up secondary zones, or using public name servers do not address this architectural restriction.