We have an EC2 in our private subnet hosting a Jenkins server. We have a Client VPN Endpoint to connect to this private subnet. Our EC2 SG allows Inbound HTTP requests from the VPN SG and this VPN SG allows Outbound HTTP requests to our EC2 SG. So while connected to the VPN, we can connect to the EC2 using its Private IP address.
We now want to add a DNS Record on top of this Private IP address.
We already have a private Hosted Zone associated with the right VPN. Our Endpoint VPN references the 2 DNS Server IP Addresses meaning that we've filled the DNS servers field of the Client VPN Endpoint with the two IP Addresses of our Route 53 Resolver Inbound Endpoint. "DNS resolution" and "DNS hostnames" are enabled in our VPC. Finally, we have a simple A Record whose value is the EC2 Private IP.
When logged into our VPN, the DNS Record is still not working. What are we missing?
Complementary information:
Confirm that the Resolver rule and its inbound endpoint resolve to different VPCs
that there can be an infinite loop.Queries ran on my laptop that could help
❯ dig my.dns.internal
;; communications error to 127.0.0.53#53: timed out
; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> my.dns.internal
;; global options: +cmd
;; no servers could be reached
❯ cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search .
❯ resolvectl status
...
Link 4 (tun0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: resolverIp1
DNS Servers: resolverIp1 resolverIp2
Doc checked on this topic:
The issue was that my Resolver Inbound Endpoint IP Addresses, meaning its Network Interface's Security Group, were closed to my VPN. To fix this you have to:
curl http://myPrivateIP
, you can check this from your VPN and if it's not working check it from a private EC2 in the same subnetcurl http://mydns
resolvectl status
dig my.dns.internal