AWS Certified SysOps Administrator – Associate — Question 346

A company has an on-premises DNS solution and wants to resolve DNS records in an Amazon Route 53 private hosted zone for example.com. The company has set up an AWS Direct Connect connection for network connectivity between the on-premises network and the VPC. A SysOps administrator must ensure that an on-premises server can query records in the example.com domain.

What should the SysOps administrator do to meet these requirements?

Answer options

• A. Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.
• B. Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.
• C. Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.
• D. Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.

Correct answer: A

Explanation

To enable on-premises servers to resolve DNS queries in an Amazon Route 53 private hosted zone, a Route 53 Resolver inbound endpoint must be configured to receive queries from the on-premises network. The security group associated with this inbound endpoint must permit inbound TCP and UDP traffic on port 53 from the on-premises DNS server IP addresses. Outbound endpoints are incorrect because they are used to forward DNS queries from AWS to on-premises DNS servers.