AWS Certified Solutions Architect – Professional — Question 646
A company is migrating its data center from on premises to the AWS Cloud. The migration will take several months to complete. The company will use Amazon
Route 53 for private DNS zones.
During the migration, the company must keep its AWS services pointed at the VPC's Route 53 Resolver for DNS. The company also must maintain the ability to resolve addresses from its on-premises DNS server. A solutions architect must set up DNS so that Amazon EC2 instances can use native Route 53 endpoints to resolve on-premises DNS queries.
Which configuration will meet these requirements?
Answer options
- A. Configure the VPC DHCP options set to point to on-premises DNS server IP addresses. Ensure that security groups for EC2 instances allow outbound access to port 53 on those DNS server IP addresses.
- B. Launch an EC2 instance that has DNS BIND installed and configured. Ensure that the security groups that are attached to the EC2 instance can access the on-premises DNS server IP address on port 53. Configure BIND to forward DNS queries to on-premises DNS server IP addresses. Configure each migrated EC2 instance's DNS settings to point to the BIND server IP address.
- C. Create a new outbound endpoint in Route 53, and attach the endpoint to the VPC. Ensure that the security groups that are attached to the endpoint can access the on-premises DNS server IP address on port 53. Create a new Route 53 Resolver rule that routes on-premises designated traffic to the on-premises DNS server.
- D. Create a new private DNS zone in Route 53 with the same domain name as the on-premises domain. Create a single wildcard record with the on-premises DNS server IP address as the record's address.
Correct answer: C
Explanation
To resolve on-premises DNS queries from EC2 instances natively using Route 53, you must use Route 53 Resolver outbound endpoints. By setting up an outbound endpoint and defining a forwarding rule for the on-premises domain, EC2 instances can query the default VPC resolver, which then forwards the appropriate requests to the on-premises DNS servers. Other solutions like altering the DHCP options set or using an intermediate BIND server bypass native Route 53 Resolver functionality, which violates the requirement.