0

I have a network of AWS EC2 instances. Most of them are using the default VPC's DNS resolver to prevent exfiltration and to resolve internal domains (using a custom TLD). That all works fine.

However, there is one (Ubuntu) instance that needs to use a general, public resolver to reach the Internet at large (e.g. 8.8.8.8)

I managed to get this work in us-east-1 by replacing /etc/systemd/resolved.conf with

[Resolve]
DNS=8.8.8.8 208.67.222

and adding an /etc/systemd/resolved.conf.d/MYTLD.conf

[Resolve]
Domains=MYTLD
DNS=10.6.0.2

After restarting systemd-resolved, the instance resolves all domains just fine. But when I apply this exact same configuration to a nigh-identical network in us-east-2, public DNS doesn't work.

One suggestion I found on StackExchange was to symlink /etc/resolv.conf to /run/systemd/resolve/resolv.conf. That made public DNS start resolving, but the internal TLD stopped.

How do I get DNS to consistently resolve in any region?

vomitHatSteve
  • 1
  • 2

1 Answers1

0

I have found my solution.

The DNS Resolver was set to default block (obviously. That was the point of this exercise.) But the response was set to NODATA. This created a race condition: systemd-resolve uses Link-Local Multicast Name Resolution to get DNS results. This means it simultaneously queried AWS internal server and one of the public servers. LLMNR returns either the first successful result it gets or the last failure (if all results are failures)

A NODATA result from the DNS Resolver is technically a success, so that result was returned if it arrived first. Changing the action to NXDOMAIN - which is a failure result from systemd-resolve's perspective - fixed the problem.

vomitHatSteve
  • 1
  • 2