AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 114

A company is establishing connectivity between its on-premises site and an existing VPC on AWS to meet a new security requirement. According to the new requirement, all public DNS queries must use an on-premises DNS security solution. The company's security team has allowed an exception for the AWS service endpoints because the company is using VPC endpoints to access AWS services.

Which combination of steps should a network engineer take to configure the architecture to meet these requirements? (Choose three.)

Answer options

• A. Create a system rule for the domain name “.” (dot) with a target IP address of the on-premises DNS security solution.
• B. Create a new DHCP options set that provides the IP address of the on-premises DNS security solution. Update the VPC to use this new DHCP options set.
• C. Create an Amazon Route 53 Resolver inbound endpoint. Associate this endpoint with the VPC.
• D. Create an Amazon Route 53 Resolver outbound endpoint. Associate this endpoint with the VPC.
• E. Create a system rule for the domain name amazonaws.com.
• F. Create a forwarding rule for the domain name “.” (dot) with a target IP address of the on-premises DNS security solution.

Correct answer: D, E, F

Explanation

The correct answer includes creating an outbound endpoint (D) for DNS queries to AWS services, a system rule for amazonaws.com (E) to handle requests specific to AWS, and a forwarding rule for the root domain (F), ensuring all other queries are sent to the on-premises DNS. Options A, B, and C are not suitable as they do not align with the requirements for handling public DNS queries through the on-premises solution.