How can I avoid DNS resolution failures with Amazon Elastic Compute Cloud (Amazon EC2) Linux?
To decrease CPU and network usage and avoid DNS resolution failures, apply a DNS cache.
When you use a DNS cache to connect to DNS resources using AWS applications such as Amazon Relational Database Service (Amazon RDS), Amazon ElastiCache, or Amazon Simple Storage Service (Amazon S3), most of the recurring DNS queries are answered locally by the cache without interacting with the DNS resolver over the network.
To set up a local DNS cache using Amazon Linux, configure dnsmasq (a DHCP and cache DNS server) by doing the following:
1. Install dnsmasq by running the following command:
sudo yum install -y dnsmasq
2. Create a dedicated system user to run dnsmasq using the following commands:
sudo groupadd -r dnsmasq
sudo useradd -r -g dnsmasq dnsmasq
Note: dnsmasq typically runs as the root user, but drops root privileges after startup by changing to another user (by default, the user is “nobody”).
3. Create a copy of the dnsmasq configuration file using the following command:
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
4. Open the configuration file using a text editor (for example, vim):
sudo vim /etc/dnsmasq.conf
5. Then, edit the file /etc/dnsmasq.conf to be similar to the following:
# Server Configuration
# Name resolution options
6. Create the file /etc/resolv.dnsmasq informing the parent nameservers to dnsmasq:
sudo vim /etc/resolv.dnsmasq
Note: For EC2-Classic, the Amazon DNS server is located at 172.16.0.23. For EC2 VPC, you can find more information about DNS server locations at DHCP Options Sets. If you create an AMI from an instance with the dnsmasq cache to launch in another VPC with a different CIDR, or you have a custom DNS server specified in your DHCP options, adjust the file /etc/resolv.dnsmasq to use the nameserver for that network.
7. Start dnsmasq and set the service to startup on boot using the following commands:
sudo service dnsmasq start
sudo chkconfig dnsmasq on
8. Verify that dnsmasq is working correctly using the dig command:
dig aws.amazon.com @127.0.0.1
If the response is similar to the following, dnsmasq cache is working correctly:
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.56.amzn1 <<>> aws.amazon.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25122 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;aws.amazon.com. IN A ;; ANSWER SECTION: aws.amazon.com. 41 IN A 22.214.171.124 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ... 9. Set the dnsmasq DNS cache as the default DNS resolver. Note: You must suppress the default DNS resolver provided by DHCP by changing or creating the /etc/dhcp/dhclient.conf file. For more information, see How do I assign a static DNS server to a private Amazon EC2 instance running Ubuntu, RHEL, or Amazon Linux? 10. Configure the default DNS resolver as a fallback option by using the following commands: sudo vim /etc/dhcp/dhclient.conf supersede domain-name-servers 127.0.0.1, 10.0.0.2; 11. To apply the change, run the dhclient command, or reboot your instance: sudo dhclient - or - sudo reboot To verify that your instance is using the DNS cache, run the dig command: dig aws.amazon.com If the response indicates that the server replying to your DNS request is 127.0.0.1, the DNS cache is working correctly: ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.56.amzn1 <<>> aws.amazon.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1028 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;aws.amazon.com. IN A ;; ANSWER SECTION: aws.amazon.com. 55 IN A 126.96.36.199 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) <<<------- ... Link to resource: https://aws.amazon.com/premiumsupport/knowledge-center/dns-resolution-failures-ec2-linux/