Private DNS in Cloud: VPC DNS Architecture Guide
Private DNS enables internal service discovery without exposing records to the internet. This guide covers private DNS architecture across AWS, Azure, and GCP—from basic VPC DNS to complex hybrid scenarios.
Why Private DNS?
Private DNS provides several benefits:
- Security: Internal hostnames not exposed to internet
- Service discovery: Applications find each other by name
- Environment isolation: Same names, different IPs per environment
- Simplified configuration: No hardcoded IPs in application config
- Migration flexibility: Change IPs without updating clients
VPC DNS Resolution
AWS VPC DNS
Amazon provides automatic DNS for every VPC:
- Amazon-provided DNS: Available at VPC CIDR + 2 (e.g., 10.0.0.2)
- Also at 169.254.169.253: Link-local address works everywhere
- DNS hostnames: Instances get ec2-*.compute.amazonaws.com names
- Enable settings: enableDnsSupport and enableDnsHostnames
# VPC DNS resolution flow
Instance → 10.0.0.2 (VPC resolver)
│
├── Private hosted zone? → Return private record
│
├── VPC endpoint zone? → Return endpoint IP
│
└── Otherwise → Query public DNSGCP Cloud DNS
- Metadata server: 169.254.169.254 for DNS
- Internal DNS: [hostname].internal for same network
- Private zones: Custom zones visible to specified networks
Azure DNS
- Azure-provided DNS: 168.63.129.16
- Private DNS zones: Link to VNets for resolution
- Auto-registration: VMs automatically get DNS records
Private Hosted Zones
AWS Route 53 Private Hosted Zones
Create custom domain names for internal resources:
# Create private hosted zone
aws route53 create-hosted-zone \
--name internal.example.com \
--vpc VPCRegion=us-east-1,VPCId=vpc-12345678 \
--caller-reference $(date +%s) \
--hosted-zone-config PrivateZone=true
# Add a record
aws route53 change-resource-record-sets \
--hosted-zone-id Z1234567890ABC \
--change-batch '{
"Changes": [{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "api.internal.example.com",
"Type": "A",
"TTL": 300,
"ResourceRecords": [{"Value": "10.0.1.100"}]
}
}]
}'Associating Multiple VPCs
- Associate single private zone with multiple VPCs
- Works across accounts with authorization
- Enables shared service discovery
Hybrid DNS Architecture
Connecting cloud and on-premise DNS requires bidirectional resolution:
Cloud → On-Premise Resolution
VPC Instance → Route 53 Resolver Outbound Endpoint → On-Prem DNS
Configuration:
- Outbound endpoint in VPC
- Resolver rule for corp.example.com → on-prem DNS IPs
- Traffic flows over VPN/Direct ConnectOn-Premise → Cloud Resolution
On-Prem Server → Conditional Forwarder → Route 53 Resolver Inbound Endpoint
Configuration:
- Inbound endpoint in VPC (gets ENI with IP)
- On-prem DNS forwards *.aws.example.com to inbound endpoint IPsRoute 53 Resolver Architecture
┌─────────────────────┐
│ Route 53 Resolver │
└──────────┬──────────┘
│
┌──────────────────────────┼──────────────────────────┐
│ │ │
▼ ▼ ▼
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ Inbound │ │ Outbound │ │ Resolver │
│ Endpoint │ │ Endpoint │ │ Rules │
│ (On-prem→AWS) │ │ (AWS→On-prem) │ │ │
└───────────────┘ └───────────────┘ └───────────────┘Split-Horizon DNS
Same domain name resolves differently based on query source:
Use Cases
- Internal vs. external: app.example.com → internal IP from VPC, public IP from internet
- VPN users: Access internal resources with familiar names
- Development: Different environments with same hostnames
Implementation
# Public hosted zone (internet-facing)
Zone: example.com (public)
app.example.com → 203.0.113.10 (public IP/ALB)
# Private hosted zone (VPC internal)
Zone: example.com (private, associated with VPC)
app.example.com → 10.0.1.100 (private IP)When a VPC instance queries, Route 53 checks private zones first:
- Query for app.example.com
- VPC resolver checks: Is there a private zone for example.com?
- Yes → Return private record (10.0.1.100)
- If no private zone → Forward to public DNS
Service Discovery Patterns
AWS Cloud Map
- Managed service discovery for containers and services
- Integrates with ECS, EKS, and custom services
- Supports DNS and API-based discovery
Kubernetes DNS
- CoreDNS provides cluster-internal DNS
- Services get [service].[namespace].svc.cluster.local
- Configurable forwarding to VPC DNS for external names
Consul DNS
- HashiCorp Consul provides service mesh DNS
- Services register and are discoverable via DNS
- Health checking and failover built-in
DNS for VPC Endpoints
VPC endpoints can create private DNS entries for AWS services:
Interface Endpoints
- Private DNS: Optionally override public service DNS
- Example: ec2.us-east-1.amazonaws.com → endpoint ENI IP
- Benefit: No code changes needed to use endpoint
Gateway Endpoints (S3, DynamoDB)
- Route table-based, not DNS-based
- Service DNS still resolves to public IPs
- Traffic routed via endpoint by route table
Troubleshooting Private DNS
Common Issues
- Zone not associated: Private zone must be associated with VPC
- DNS settings disabled: enableDnsSupport must be true
- Wrong resolver: Instance using wrong DNS server
- DHCP options: Custom DHCP options may override VPC DNS
Debugging Commands
# Check resolver configuration
cat /etc/resolv.conf
# Query VPC DNS directly
dig @169.254.169.253 api.internal.example.com
# Check what DNS server is being used
dig +trace api.internal.example.com
# AWS: List private hosted zones associated with VPC
aws route53 list-hosted-zones-by-vpc \
--vpc-id vpc-12345678 \
--vpc-region us-east-1Key Takeaways
- Each cloud provider has built-in VPC DNS at a well-known IP
- Private hosted zones enable custom internal domain names
- Hybrid DNS requires resolver endpoints for bidirectional resolution
- Split-horizon DNS provides different answers for internal/external queries
- VPC endpoints can override AWS service DNS for private connectivity
Need Private DNS Architecture Help?
We design hybrid DNS solutions for complex environments. Contact us for a consultation.