0

from AWS doc, it states that the Amazon DNS Server would be the Base of your VPC network range plus two. I'm confused if this server is also the same AmazonProvidedDNS that you set in your dhcp option sets.

The Amazon DNS server does not reside within a specific subnet or Availability Zone in a VPC. It's located at the address 169.254.169.253 (and the reserved IP address at the base of the VPC IPv4 network range, plus two) and fd00:ec2::253. For example, the Amazon DNS Server on a 10.0.0.0/16 network is located at 10.0.0.2. For VPCs with multiple IPv4 CIDR blocks, the DNS server IP address is located in the primary CIDR block.

Is the "Amazon DNS server" and AmazonProvidedDNS the same?

For example if my VPC's base network range is 10.0.0.0 if I run a DNS query against 10.0.0.2, I'm querying against the AmazonProvidedDNS (aka Amazon DNS Server)?

edmamerto
  • 7,605
  • 11
  • 42
  • 66

2 Answers2

3

AmazonProvidedDNS is an option in the default DHCP option set. DHCP option sets are settings for your VPC where you can specify IP addresses for things such as domain name server, NTP server and NetBIOS server.

From the docs linked above:

Domain name servers: The DNS servers that will be used to resolve the IP address of the host. In the default option set, the only value is AmazonProvidedDNS. The string AmazonProvidedDNS maps to Amazon's DNS server.

Essentially this means, if you have the default DHCP options set used for your VPC and you are querying the network address + 2 address (for example: 10.0.0.2), you will be querying the Amazon DNS servers.

If you have time, you could also watch this AWS re:Invent 2019: Deep dive on DNS in the hybrid cloud presentation about how DNS works inside an AWS VPC.

Ervin Szilagyi
  • 14,274
  • 2
  • 25
  • 40
0

The doc Amazon VPC > DNS Attributes > Amazon DNS Server says

The Amazon DNS server does not reside within a specific subnet or Availability Zone in a VPC. It's located at the address 169.254.169.253 (and the reserved IP address at the base of the VPC's IPv4 network range, plus two) and fd00:ec2::253.

It's not in this subnet's private IPv4 CIDR (e.g. a /24) unless this subnet happens to be the one allocated at the bottom of the VPC's CIDR (e.g. a /16). To simplify finding the DNS server, or for use before you get an address assignment via DHCP or PD, it's also available at static link-local IPv4 and IPv6 addresses.

Similarly, the Amazon Time Sync Service is available early in the boot process at static link-local addresses, 169.254.169.123 and fd00:ec2::123, but it's different: Why doesn't it have its own symbol AmazonProvidedNTP in the default DHCP option set, analogous to AmazonProvidedDNS? Why don't the DNS and NTP services share the same addresses on the same ENI? And why isn't NTP also available at the VPC's IPv4 base plus 2 (or whatever)? Good questions!

Bob Sutterfield
  • 3
  • 2