aws private instance cannot resolve hostname (VPC with NAT instance)
DNS resolution in a VPC does not depend on the NAT device, whether it's a NAT instance or NAT Gateway, and because of the way it's implemented, it is very difficult if not impossible to break DNS through misconfiguration of the network, because the traffic has no need to be allowed via security groups and Network ACLs.
If it isn't working, that suggests it's not turned on.
Ensure that enableDnsSupport is set to true.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-dns.html#vpc-dns-support
You'll probably want to activate enableDnsHostnames while you're there. It does not make your instances "public," despite the fact that the documented description implies that it does.
There is rarely a case for not enabling either of these options.
Related videos on Youtube
05 : 54
17 : 25
18 : 15
09 : 27
02 : 26
mpprdev
Updated on September 18, 2022Comments
-
mpprdev over 1 year
Please note that this question is different than this one here where they used a standard AMI vs NAT AMI (in my case). Also in my case private instance can access Internet via ipaddress but not via hostname resolution.
Here's my setup:
- Non-default VPC with 1 public subnet & 1 private subnet.
- NAT instance on the public subnet with an elastic IP. Used Amazon Community NAT AMI: amzn-ami-vpc-nat-hvm-2017.09.1.20180108-x86_64-ebs ami-d4a883b1. Amazon Linux AMI 2017.09.1.20180108 x86_64 VPC NAT HVM EBS
- Security group as per NAT Security Group documentation attached to NAT instance above
- Private instance (on private subnet) can reach Internet via NAT instance as long as it uses ip address. For example:
curl http://74.125.135.99/works butcurl http://www.google.comdoesn't work
Private instance:
$cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 search us-east-2.compute.internal $ curl http://74.125.135.99/ <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="http://www.google.com/">here</A>. </BODY></HTML> $ curl http://www.google.com/ curl: (6) Could not resolve host: www.google.comNAT instance:
$ cat /etc/resolv.conf ; generated by /sbin/dhclient-script search us-east-2.compute.internal options timeout:2 attempts:5 nameserver 10.0.0.2UPDATE: Following DNS settings are on my VPC:
DNS resolution: yes DNS hostnames: yes -
mpprdev over 6 yearsOn my VPC the following is set. Is this what you are referring to? DNS resolution: yes DNS hostnames: yes
-
Michael - sqlbot over 6 yearsYes... but I just noticed
nameserver 127.0.0.1on your instance. Any idea how that got that way? It should be the same as the NAT machine. They should all be the same, it should be the base address of your VPC + 2 (e.g. 10.0.0.0/x >> 10.0.0.2). -
mpprdev over 6 yearsNo idea how it was set - it was set automatically. I rebooted and the values stayed the same.
-
Michael - sqlbot over 6 yearsCheck your DHCP Options Sets.
-
mpprdev over 6 yearsHere's what I have for DHCP option set on the VPC:
domain-name = us-east-2.compute.internaldomain-name-servers = AmazonProvidedDNS -
Michael - sqlbot over 6 yearsI'm glad you found it, @mpprdev. If for some reason you wanted to use dnsmasq, it should work if you configure it to use 169.254.169.253 as its upstream server. That's a special address, functionally equivalent to the x.x.x.2 address for the DNS resolver in your VPC, but portable across different VPCs so it's safe to hard-code.
-
mpprdev over 6 yearsThank you @michael-sqlbot for the 169.254.169.253 tip. Upvoted.
-
John Hanley over 6 yearsNote: Older operating system like Windows Server 2008 won't allow DNS servers in the 169.254.x.x network. @Michael-sqlbot tip is a good one and I use that instead of the VPC Base + 2 address in my AMIs so that they are portable across VPCs.
