Encrypt DNS queries using DNS-over-HTTPS (DoH) with Amazon Route 53 Resolver Endpoints

Customers frequently use on-premises DNS infrastructure to resolve DNS queries for internal domains. In 2018, we announced Amazon Route 53 Resolver endpoints, which enable customers to integrate Route 53 with their on-premises DNS infrastructure for hybrid DNS resolution. In 2023, we improved this integration by providing customers the ability to encrypt DNS queries and responses using DNS over HTTPS (DoH). DoH can help enhance privacy by protecting DNS queries from eavesdropping and manipulation from unauthorized users.

The DoH protocol (not to be confused with DNSSEC) encrypts the connection between a client and a DNS resolver or from one DNS resolver to another, which improves the confidentiality and integrity of DNS queries and responses. Customers can use this functionality to encrypt:

• DNS queries from your on-premises clients and resolvers to Amazon Route 53 Resolver inbound endpoints
• DNS queries to on-premises DNS resolvers from your clients within Amazon VPC using Amazon Route 53 Resolver outbound endpoints

This capability provides customers with the ability to meet compliance requirements to encrypt DNS traffic, such as the requirement for US Federal Agencies to encrypt DNS traffic in Office of Management and Budget (OMB) Memorandum M-22-09 Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.

In this post, we walk you through how to set up DoH using Route 53 Resolver endpoints and Resolver query logging to verify that DoH is being used for DNS resolution and configure EC2 instances running Ubuntu 22 and Microsoft Windows Server 2022 to demonstrate the feature. This post assumes the reader has pre-existing experience setting up and configuring VPCs and on-premises DNS resolvers.

Setup walkthrough

Route 53 Resolver supports DoH for both inbound and outbound endpoints. To start encrypting our DNS queries, we will:

1. Create inbound and outbound endpoints that support DoH.
2. Configure Amazon Elastic Compute Cloud (Amazon EC2) instances running Ubuntu 22 and Microsoft Windows Server 2022 to submit DNS queries to the Route 53 inbound endpoint using DoH.
3. Demonstrate how to use Route 53 Resolver query logging to verify that the instances are using DoH for DNS resolution.
4. Configure Route 53 to forward DNS queries to an on-premises BIND server through an outbound resolver endpoint using DoH.

Prerequisites

Before you get started, make sure you have the following prerequisites met:

1. Establish private Layer 3 connectivity through AWS Direct Connect or AWS Site-to-Site VPN connection for DNS traffic to flow between your on-premises network and AWS using AWS Transit Gateway.
2. You have a virtual private cloud (VPC) with two subnets in separate Availability Zones to create your Amazon Route 53 Resolver endpoints (inbound and outbound). Optionally, you can enable IPv6 support for your VPC. Your VPC can operate in dual-stack mode, in which your resources can communicate over IPv4, or IPv6, or both. IPv4 and IPv6 communication are independent of each other.
3. Create a private hosted zone and associate it to your VPC. You can also use Amazon Route 53 Profiles to define a standard DNS configuration, in the form of a Profile, that includes Route 53 private hosted zone (PHZ) associations.
4. Create a security group for inbound and outbound endpoints to allow TCP and UDP traffic on port 53 from anywhere using the recommended rules for inbound and outbound rules of your security group to avoid connection tracking. For more information, refer to this Using connection tracking improvements to increase network performance blog.
5. Configure Resolver query logging in Amazon Route 53 to log DNS queries and send to Amazon CloudWatch Logs.
6. Review Amazon Route 53 endpoint quotas as you choose different design architectures that can impact network performance.

Figure 1 shows the shared services VPC connected to AWS Transit Gateway using VPC attachment. Transit Gateway extends connectivity to the on-premises network over either a Direct Connect connection or a Site-to-Site VPN connection.

Figure 1: Shared services VPC connected through Transit Gateway and then to the on-premises network through Direct Connect and Site-to Site VPN

Create an Amazon Route 53 Resolver inbound endpoint with DoH attribute enabled

Amazon Route 53 Resolver endpoint supports three protocols: Do53, DoH, and DoH-FIPS.

1. Do53 – (Default) The data is relayed using the Route 53 Resolver without additional encryption over UDP or TCP.
2. DoH – The data is transmitted over an encrypted HTTPS session.
3. DoH-FIPS – The data is transmitted over an encrypted HTTPS session that is compliant with the FIPS 140-2 cryptographic standard. Supported for inbound endpoints only. For more information, see FIPS PUB 140-2.

Note: You cannot choose both DoH and DoH-FIPS at the same time. You can choose Do53 only, Do53 and DoH (or DoH-FIPS), or DoH-only (or DoH-FIPS only), depending on your requirements. Additionally, you cannot change the protocol of an inbound endpoint directly from Do53 only to DoH only, or DoH-FIPS only. The reverse is also true. This prevents sudden disruptions to incoming traffic.

To change the inbound resolver protocol from Do53 to DoH or DoH-FIPS, you must first enable both Do53 and DoH or Do53 and DoH-FIPS. Next, use Route 53 Resolver query logs to verify that all incoming traffic has transferred to using the DoH protocol or DoH-FIPS. Finally, edit the inbound endpoint configuration to remove Do53 protocol support.

Create a new Route 53 Resolver inbound endpoint that supports DoH and specify the following values (Figure 2):

1. Specify the name for the endpoint.
2. From the dropdown, select the VPC that you will use to forward DNS queries from your on-premises environment.
3. Select the Security group for this endpoint.
4. For Endpoint Type, choose Dual-stack. For a dual-stack endpoint, the endpoint will have both IPv4 and IPv6 addresses that your DNS resolver on your network can forward a DNS query to.
5. For Protocols for this endpoint, select DoH to allow DNS queries and responses to be encrypted using HTTPS.
6. Select the Availability Zones that will receive the inbound DNS queries from your on-premises network. We recommend choosing at least two Availability Zones for high availability.

Figure 2: Create Amazon Route 53 inbound endpoint to forward DNS queries to your VPC

Once we have created the inbound endpoints, make sure to record the IPv4 and IPv6 addresses (Figure 3) so we can use them to configure the Windows and Linux DNS clients.

Figure 3: Amazon Route 53 inbound endpoint details

Configuring Microsoft Windows Server DNS client

The Microsoft Windows Server DNS client supports DoH, starting with Windows Server 2022. To configure it, follow the steps shown below:

Step 1: Open PowerShell as an administrator and add Route 53 Resolver inbound endpoint as a DoH server. In the following command, replace the resolver IP address and Region with the IP address of the inbound resolver you created and the Region in which it is deployed:

C:\> Add-DnsClientDohServerAddress -ServerAddress 'resolver-IP address' -DohTemplate 'https://route53resolver.Region.amazonaws.com/dns-query’ -AllowFallbackToUdp $True -AutoUpgrade $True

ServerAddress AllowFallbackToUdp AutoUpgrade DohTemplate
------------- ------------------ ----------- -----------
10.2.0.54   False              False       https://route53resolver.Region.amazonaws.com/dns-query

Step 2: Set the Route 53 Resolver inbound endpoint as the default DNS server. As before, replace the server addresses with the IP address of the Route 53 Resolver inbound endpoint. Also, replace the interface index with the appropriate value for your environment.

C:\> Set-DnsClientServerAddress -InterfaceIndex 2 -ServerAddresses Route53-resolver-inbound-endpoint-IP-address

Step 3: Verify that DNS resolution works correctly. To do this, we used the PowerShell DNS resolution command to resolve the A record for the ipv4.aws.example.internal.

C:\> Resolve-DnsName -Name ipv4.aws.example.internal

Name                      Type   TTL    Section    IPAddress
----                      ----   ---    -------    ---------
ipv4.aws.example.internal  A      17     Answer    10.2.1.10

You can also optionally query AAAA records or public DNS names by conditionally forwarding the DNS queries to the IP addresses of the Route 53 Resolver inbound endpoint.

Configuring Ubuntu 22 to support DoH using dnsdist DNS proxy

Ubuntu 22 does not have native DoH support. Customers can add DoH support using a DNS proxy, which accepts traditional DNS queries over UDP on port 53 and then connects to a DNS resolver using DoH. We used an open source DNS proxy dnsdist to provide DoH support. After logging into an x86 EC2 instance running Ubuntu 22:

Step 1: Install dnsdist version 1.7.0 or later. Dnsdist versions 1.7.0 and later support DoH. Version 1.7.0 is available directly from PowerDNS, the developer of dnsdist. First, we will add the PowerDNS repositories and then install dnsdist.

Step 1a: Sudo to root

$ sudo -s

Step 1b: Add the PowerDNS repository key and the PowerDNS repository:

$ echo "deb [signed-by=/etc/apt/keyrings/dnsdist-18-pub.asc arch=amd64] http://repo.powerdns.com/ubuntu jammy-dnsdist-18 main" >> /etc/apt/sources.list.d/pdns.list 
$ echo -e "Package: dnsdist* \nPin:origin repo.powerdns.com\nPin-Priority: 600" >> /etc/apt/preferences.d/dnsdist-18 
$ install -d /etc/apt/keyrings; curl https://repo.powerdns.com/FD380FBB-pub.asc | tee /etc/apt/keyrings/dnsdist-18-pub.asc

Step 1c: Update available packages and install dnsdist

$ apt-get update && apt-get install dnsdist

Step 2: Once dnsdist is installed, we will edit dnsdist.conf to listen for DNS queries on localhost (127.0.0.1 or ::1) and resolve queries using DoH to the Route 53 Resolver inbound endpoint.

Step 2a: Open /etc/dnsdist/dnsdist.conf as a superuser using your favorite text editor.

$ sudo nano /etc/dnsdist/dnsdist.conf

Step 2b: Configure dnsdist to listen for DNS queries on localhost and use the Route 53 Resolver inbound endpoints to resolve DNS queries.

Add the following to /etc/dnsdist/dnsdist.conf. For both the IPv4 and IPv6 examples, replace the IP addresses and the Region with the IP addresses and Region for your resolver endpoints:

IPv4:

addLocal("127.0.0.1:53")
newServer({address=”Route53-resolver-inbound-endpoint-IPv4-address:443”, tls=”openssl”, subjectName=”route53resolver.Region.amazonaws.com”, dohPath=”/dns-query”, validateCertificates=true})

IPv6:

addLocal(“[::1]:53”)
newServer({address=”[Route53-resolver-inbound-endpoint-IPv6-address]:443”, tls=”openssl”, subjectName=”route53resolver.Region.amazonaws.com”, dohPath=”/dns-query”, validateCertificates=true})

Save, exit, and restart the dnsdist service.

Step 3: Use nslookup to verify that dnsdist can use DoH to resolve DNS queries. We will target localhost so that dnsdist forwards the query to the Route 53 Resolver inbound endpoint. We will resolve ipv4.aws.example.com as our example

$ nslookup ipv4.aws.example.internal 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1
Non-Authoritative answer:
Name:   ipv4.aws.example.internal
Address: 10.2.1.10

You can use Resolver query logs to verify that your on-premises clients are using DoH to send and receive DNS queries. When we search the DNS query logs results using CloudWatch Logs Insights, there is a new field transport. As shown in the figure 4, the client used DoH as the transport to communicate with the Route 53 Resolver inbound endpoint.

Figure 4: Route 53 Resolver DNS query logs showing DoH as the transport

Using the Route 53 Resolver inbound endpoint with DNS-over-HTTPS

Figure 5 shows a common customer configuration for a dual-stack Route 53 Resolver inbound endpoint configured with DoH. In this example architecture, the DNS queries and responses are encrypted between the on-premises clients and the Amazon Route 53 Resolver inbound endpoint using DoH. This provides additional confidentiality and integrity as the queries transit the customer’s environment and the Direct Connect connection or Site-to-Site VPN to AWS. In this example, an on-premises application server needs to resolve a DNS address for a private hosted zone:

1. The on-premises application server makes an A DNS query for ipv4.aws.example.internal and sends it to the on-premises DNS resolver.
2. The on-premises DNS resolver conditionally forwards the DNS query to the IPv4 addresses of the Route 53 Resolver inbound endpoint using DoH.
3. The Route 53 Resolver inbound endpoint service receives the query and processes it.
4. (4a) The inbound endpoint checks if the private hosted aws.example.internal is associated with it. (4b) The VPC DNS resolver checks if the private hosted zone aws.example.internal is associated with it.
5. The Route 53 Resolver returns the IPv4 address of the EC2 instance back to the inbound endpoint.
6. The Route 53 Resolver inbound endpoint sends the A response back to the on-premises DNS resolver.
7. The on-premises resolver returns the answer to the on-premises application server.

Figure 5: Route 53 Resolver inbound endpoint query and response flow with DNS over HTTPS

Configuring DoH for Route 53 Resolver outbound endpoints

Now, let’s configure an outbound endpoint with DoH to forward DNS queries that originate on EC2 instances in your VPC to your DNS resolver on the on-premises network.

Step 1: Configure an outbound endpoint and specify the following values:

1. Specify the name for the endpoint.
2. From the dropdown, select the VPC that you will forward DNS queries to your DNS resolver on the on-premises network
3. Select the Security group for this endpoint.
4. For Endpoint Type, choose Dual-stack. For a dual-stack endpoint, the endpoint will have both IPv4 and IPv6 addresses that your DNS resolver on your network can forward the DNS query to.
5. Select the Availability Zones that will use the outbound DNS queries to send to your on-premises network. We recommend choosing at least two Availability Zones for high availability. Specify the IP addresses that you want the outbound endpoint to forward DNS queries to on your network.

Figure 6: Create Amazon Route 53 Resolver outbound endpoint

Step 2: Create a resolver rule to forward DNS queries to your on-premises DNS resolver. Each rule has a domain to which the rule applies and one or more target IP addresses to which the queries should be forwarded. Figure 7 shows a forwarding rule that forwards DNS queries for foo.example.com to your on-premises DNS resolver using the DoH protocol.

As shown in Figure 7, each rule is associated with one or more target IP addresses. If the outbound endpoint is IPv4-only, then targets may only be IPv4. If the outbound endpoint is dual-stack, then the targets may be either IPv4 or IPv6. The targets must all be either IPv4 or IPv6. Both types cannot be used simultaneously in the same rule. In this case, we specified a DNS resolver with an IPv6 address as the target.

Figure 7: Creating a Route 53 Resolver rule that targets an IPv6 resolver using DoH

Important

Resolvers targeted by Route 53 outbound endpoints using DoH must use certificates signed by a publicly trusted certificate authority (CA). Certificates signed by a private CA are not trusted by the outbound resolver endpoint today and will be rejected.

Step 3: Once we have created the outbound resolver rule, we need to verify that the outbound resolver endpoint is able to forward queries to the on-premises endpoint.

In this example, we have used BIND to create an on-premises DNS resolver that supports DoH. We have configured BIND with A and AAAA records for foo.example.com.

To verify that the outbound endpoint can forward the query from the VPC to the BIND DNS resolver, we launch the Ubuntu 22 EC2 instance to send a DNS query to the VPC for foo.example.com. The VPC’s built-in DNS resolver (Route 53) uses the resolver rule we configured earlier to forward the query to the on-premises BIND resolver.

As shown in the output, the outbound resolver endpoint successfully forwarded the query to the BIND server and was able to return the query response to the EC2 instance.

$ nslookup foo.example.com 
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-Authoritative answer:
Name:   foo.example.com
Address: 172.16.0.10
Name:   foo.example.com
Address: 2001:db8:5678:abc

As we can see from the result, the on-premises DNS resolver was able to resolve the IPv4 and IPv6 addresses for foo.example.com.

Using the Route 53 Resolver outbound endpoint with DNS-over-HTTPS

Figure 8 shows the customer configuration for a dual-stack Route 53 Resolver outbound endpoint configured with DoH. As shown in Figure 8, adding DoH provides encryption for DNS queries between the outbound endpoint and the on-premises DNS resolver. This increases the confidentiality and integrity of the DNS queries through the customer’s on-premises network and AWS. In this example:

1. The EC2 instance in the dual-stack subnet makes an A DNS query for an on-premises resource (foo.example.com) and sends it to the Route 53 Resolver.
2. When the DNS query reaches the Route 53 Resolver within the VPC of the EC2 instance, it is evaluated against the associated resolver rules. The DNS query is matched against any of the resolver rules associated with the VPC. Then, depending on the type of rule, the DNS query follows a different path. A Route 53 Resolver rule is configured to forward queries to foo.example.com in the on-premises data center.
3. If it matches a forward rule, then the DNS query is sent to the IPv4 addresses of the outbound endpoint in the shared services VPC. Note that network connectivity between the EC2 instance and the outbound endpoint is not needed.
4. The Route 53 Resolver outbound endpoint forwards the query to the on-premises DNS resolver over the Direct Connect connection or Site-to-site VPN connection using DoH.
5. The on-premises DNS resolver resolves the query and returns the IPv4 address in the response to the outbound endpoint using DoH.
6. The outbound endpoint sends the DNS query response to the Route 53 resolver.
7. The Route 53 Resolver provides the DNS query response of the IPv4 address to the EC2 instance.

Figure 8: Route 53 Resolver outbound endpoint query and response flow with DNS over HTTPS

Clean Up

The pricing information for Amazon Route 53 endpoints is available here. If you do not want to incur costs for the resources, you can delete them using:

• Delete Inbound and Outbound Resolver Endpoints
• Terminate the EC2 instances you created for testing

Conclusion

In this post, we showed how you can create Amazon Route 53 inbound and outbound resolver endpoints with DNS-over-HTTPS (DoH) protocol to encrypt your DNS queries and response and improve privacy by minimizing the visibility of the information exchanged through the queries. We walked you through how to configure a Windows Server 2022 EC2 instance and an Ubuntu 22 instance to use the DoH endpoint, and we successfully tested it. We also explained common use cases for this functionality and demonstrated how you can use this functionality to improve the confidentiality and integrity of your DNS queries by encrypting them using DoH. To get started with DNS-over-HTTPS with Amazon Route 53 Resolver endpoints, you can refer to the Amazon Route 53 Developer Guide.

About the authors