# How Resolver endpoints forward DNS queries from your VPCs to your network
<a name="resolver-overview-forward-vpc-to-network"></a>

When you want to forward DNS queries from the EC2 instances in one or more VPCs in an AWS Region to your network, you perform the following steps.

1. You create a Resolver outbound endpoint in a VPC, and you specify several values:
   + The VPC that you want DNS queries to pass through on the way to the resolvers on your network. 
   + A [VPC security group](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) that includes outbound rules allowing TCP and UDP access on port 53 (or the port you're using for DNS queries on your network)

   For each IP address that you specify for the outbound endpoint, VPC Resolver creates an Amazon VPC elastic network interface in the VPC that you specify. For more information, see [Considerations when creating inbound and outbound endpoints](resolver-choose-vpc.md).

1. You create one or more rules, which specify the domain names of the DNS queries that you want to delegate to VPC Resolver to forward, or want VPC Resolver to forward to resolvers on your network. For forwarding rules, you also specify the IP addresses of the resolvers. For more information, see [Using rules to control which queries are forwarded to your network](resolver-overview-forward-vpc-to-network-using-rules.md).

1. You associate each rule with the VPCs for which you want to forward DNS queries to your network.

# Using rules to control which queries are forwarded to your network
<a name="resolver-overview-forward-vpc-to-network-using-rules"></a>

Rules control which DNS queries Resolver endpoint forwards to DNS resolvers on your network and which queries VPC Resolver answers itself. 

You can categorize rules in a couple of ways. One way is by who creates the rules:
+ **Autodefined rules** – VPC Resolver automatically creates autodefined rules and associates the rules with your VPCs. Most of these rules apply to the AWS-specific domain names that VPC Resolver answers queries for. For more information, see [Domain names that VPC Resolver creates autodefined system rules for](resolver-overview-forward-vpc-to-network-autodefined-rules.md).
+ **Custom rules** – You create custom rules and associate the rules with VPCs. Currently, you can create two types of custom rules, **conditional forwarding rules**, also known as forwarding rules, and **delegation rules**. **Forwarding** rules cause VPC Resolver to forward DNS queries from your VPCs to the IP addresses for DNS resolvers on your network.

  If you create a forwarding rule for the same domain as an autodefined rule, VPC Resolver forwards queries for that domain name to DNS resolvers on your network based on the settings in the forwarding rule.

  **Delegation rules** forward DNS queries with the delegation records in the delegation rule that match the NS records in response to the resolvers on your network.

Another way to categorize rules is by what they do:
+ **Conditional forwarding rules** – You create conditional forwarding rules (also known as forwarding rules) when you want to forward DNS queries for specified domain names to DNS resolvers on your network.
+ **System rules** – System rules cause VPC Resolver to selectively override the behavior that is defined in a forwarding rule. When you create a system rule, VPC Resolver resolves DNS queries for specified subdomains that would otherwise be resolved by DNS resolvers on your network.

  By default, forwarding rules apply to a domain name and all its subdomains. If you want to forward queries for a domain to a resolver on your network but you don't want to forward queries for some subdomains, you create a system rule for the subdomains. For example, if you create a forwarding rule for example.com but you don't want to forward queries for acme.example.com, you create a system rule and specify acme.example.com for the domain name.
+ **Recursive rule** – VPC Resolver automatically creates a recursive rule named **Internet Resolver**. This rule causes Route 53 VPC Resolver to act as a recursive resolver for any domain names that you didn't create custom rules for and that VPC Resolver didn't create autodefined rules for. For information about how to override this behavior, see "Forwarding All Queries to Your Network" later in this topic.

You can create custom rules that apply to specific domain names (yours or most AWS domain names), to public AWS domains names, or to all domain names. 

**Forwarding queries for specific domain names to your network**  
To forward queries for a specific domain name, such as example.com, to your network, you create a rule and specify that domain name. For **forwarding** rules you also specify the IP addresses of the DNS resolvers on your network that you want to forward the queries to, or, for **delegation** rules, create the delegation record for which you would like to delegate the authority to on-prem resolvers. You then associate each rule with the VPCs for which you want to forward DNS queries to your network. For example, you can create separate rules for example.com, example.org, and example.net. Then you can associate the rules with the VPCs in an AWS Region in any combination.

**Forwarding queries for amazonaws.com to your network**  
The domain name amazonaws.com is the public domain name for AWS resources such as EC2 instances and S3 buckets. If you want to forward queries for amazonaws.com to your network, create a rule, specify amazonaws.com for the domain name, and specify **Forward** or **Delegation** for the rule type depending on which method you want to use.  
VPC Resolver doesn't automatically forward DNS queries for some amazonaws.com subdomains even if you create a forwarding rule for amazonaws.com. For more information, see [Domain names that VPC Resolver creates autodefined system rules for](resolver-overview-forward-vpc-to-network-autodefined-rules.md). For information about how to override this behavior, see "Forwarding All Queries to Your Network," immediately following.

**Forwarding all queries to your network**  
  
If you want to forward all queries to your network, you create a rule, specify "." (dot) for the domain name, and associate the rule with the VPCs for which you want to forward all DNS queries to your network. VPC Resolver still doesn't forward all DNS queries to your network because using a DNS resolver outside of AWS would break some functionality. For example, some internal AWS domain names have internal IP address ranges that aren't accessible from outside of AWS. For a list of the domain names for which queries aren't forwarded to your network when you create a rule for ".", see [Domain names that VPC Resolver creates autodefined system rules for](resolver-overview-forward-vpc-to-network-autodefined-rules.md).  
However, autodefined system rules for reverse DNS can be disabled, allowing the "." rule to forward all reverse DNS queries to your network. For more information on how to turn off the autodefined rules, see [Forwarding rules for reverse DNS queries in VPC Resolver](resolver-rules-managing.md#resolver-automatic-forwarding-rules-reverse-dns).  
If you want to try forwarding DNS queries for all domain names to your network, including the domain names that are excluded from forwarding by default, you can create a "." rule and do one of the following:  
+ Set the `enableDnsHostnames` flag for the VPC to `false`
+ Create rules for the domain names that are listed in [Domain names that VPC Resolver creates autodefined system rules for](resolver-overview-forward-vpc-to-network-autodefined-rules.md)
If you forward all domain names to your network, including the domain names that VPC Resolver excludes when you create a "." rule, some features might stop working.

# How VPC Resolver determines whether the domain name in a query matches any rules
<a name="resolver-overview-forward-vpc-to-network-domain-name-matches"></a>

Route 53 VPC Resolver compares the domain name in the DNS query with the domain name in the rules that are associated with the VPC that the query originated from. VPC Resolver considers the domain names to match in the following cases:
+ The domain names match exactly
+ The domain name in the query is a subdomain of the domain name in the rule

For example, if the domain name in the rule is acme.example.com, VPC Resolver considers the following domain names in a DNS query to be a match:
+ acme.example.com
+ zenith.acme.example.com

The following domain names are not a match:
+ example.com
+ nadir.example.com

If the domain name in a query matches the domain name in more than one rule (such as example.com and www.example.com), VPC Resolver routes outbound DNS queries using the rule that contains the most specific domain name (www.example.com).

# How VPC Resolver determines where to forward DNS queries
<a name="resolver-overview-forward-vpc-to-network-where-to-forward-queries"></a>

When an application that runs on an EC2 instance in a VPC submits a DNS query, Route 53 VPC Resolver performs the following steps:

1. Resolver checks for domain names in rules.

   If the domain name in a query matches the domain name in a default forward rule, VPC Resolver forwards the query to the IP address that you specified when you created the outbound endpoint. The outbound endpoint then forwards the query to the IP addresses of resolvers on your network, which you specified when you created the rule.

   If the delegation record in response matches the delegation rule, then the Resolver delegate the authority to on-prem resolvers through the outbound endpoint associated with the delegation rule.

   For more information, see [How VPC Resolver determines whether the domain name in a query matches any rules](resolver-overview-forward-vpc-to-network-domain-name-matches.md). 

1. Resolver endpoint forwards DNS queries based on the settings in the "." rule.

   If the domain name in a query doesn't match the domain name in any other rules, VPC Resolver forwards the query based on the settings in the autodefined "." (dot) rule. The dot rule applies to all domain names except some AWS internal domain names and record names in private hosted zones. This rule causes VPC Resolver to forward DNS queries to public name servers if the domain names in queries don't match any names in your custom forwarding rules. If you want to forward all queries to the DNS resolvers on your network, you can create a custom forwarding rule, specify "." for the domain name, specify **Forwarding** for **Type**, and specify the IP addresses of those resolvers. 

1. VPC Resolver returns the response to the application that submitted the query.

# Using rules in multiple Regions
<a name="resolver-overview-forward-vpc-to-network-using-rules-multiple-regions"></a>

Route 53 VPC Resolver is a regional service, so objects that you create in one AWS Region are available only in that Region. To use the same rule in more than one Region, you must create the rule in each Region.

The AWS account that created a rule can share the rule with other AWS accounts. For more information, see [Sharing Resolver rules with other AWS accounts and using shared rules](resolver-rules-managing.md#resolver-rules-managing-sharing).

# Domain names that VPC Resolver creates autodefined system rules for
<a name="resolver-overview-forward-vpc-to-network-autodefined-rules"></a>

Resolver automatically creates autodefined system rules that define how queries for selected domains are resolved by default:
+ For private hosted zones and for Amazon EC2–specific domain names (such as compute.amazonaws.com and compute.internal), autodefined rules ensure that your private hosted zones and EC2 instances continue to resolve if you create conditional forwarding rules for less specific domain names such as "." (dot) or "com".
+ For publicly reserved domain names (such as localhost and 10.in-addr.arpa), DNS best practices recommend that queries are answered locally instead of being forwarded to public name servers. See [RFC 6303, Locally Served DNS Zones](https://tools.ietf.org/html/rfc6303).

**Note**  
If you create a conditional forwarding rule for "." (dot) or "com", we recommend that you also create a system rule for amazonaws.com. (System rules cause VPC Resolver to locally resolve DNS queries for specific domains and subdomains.) Creating this system rule improves performance, reduces the number of queries that are forwarded to your network, and reduces VPC Resolver charges.

If you want to override an autodefined rule, you can create a conditional forwarding rule for the same domain name. 

You can also disable some of the autodefined rules. For more information, see [Forwarding rules for reverse DNS queries in VPC Resolver](resolver-rules-managing.md#resolver-automatic-forwarding-rules-reverse-dns). 

VPC Resolver creates the following autodefined rules.

**Rules for private hosted zones**  
For each private hosted zone that you associate with a VPC, VPC Resolver creates a rule and associates it with the VPC. If you associate the private hosted zone with multiple VPCs, VPC Resolver associates the rule with the same VPCs.  
The rule has a type of **Forward**.

**Rules for various AWS internal domain names**  
All rules for the internal domain names in this section have a type of **Forward**. VPC Resolver forwards DNS queries for these domain names to the authoritative name servers for the VPC.  
VPC Resolver creates most of these rules when you set the `enableDnsHostnames` flag for a VPC to `true`. VPC Resolver creates the rules even if you aren't using Resolver endpoints.
VPC Resolver creates the following autodefined rules and associates them with a VPC when you set the `enableDnsHostnames` flag for the VPC to `true`:   
+ *Region-name*.compute.internal, for example, eu-west-1.compute.internal. The us-east-1 Region doesn't use this domain name.
+ *Region-name*.compute.*amazon-domain-name*, for example, eu-west-1.compute.amazonaws.com or cn-north-1.compute.amazonaws.com.rproxy.govskope.ca.cn. The us-east-1 Region doesn't use this domain name.
+ ec2.internal. Only the us-east-1 Region uses this domain name.
+ compute-1.internal. Only the us-east-1 Region uses this domain name.
+ compute-1.amazonaws.com. Only the us-east-1 Region uses this domain name.
The following autodefined rules are for the reverse DNS lookup for the rules that VPC Resolver creates when you set the `enableDnsHostnames` flag for the VPC to `true`.  
+ 10.in-addr.arpa
+ 16.172.in-addr.arpa through 31.172.in-addr.arpa 
+ 168.192.in-addr.arpa
+ 254.169.254.169.in-addr.arpa
+ Rules for each of the CIDR ranges for the VPC. For example, if a VPC that has a CIDR range of 10.0.0.0/23, VPC Resolver creates the following rules: 
  + 0.0.10.in-addr.arpa
  + 1.0.10.in-addr.arpa
The following autodefined rules, for localhost-related domains, also are created and associated with a VPC when you set the `enableDnsHostnames` flag for the VPC to `true`:  
+ localhost
+ localdomain
+ 127.in-addr.arpa
+ 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
+ 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
VPC Resolver creates the following autodefined rules and associates them with your VPC when you connect the VPC with another VPC through transit gateway or VPC peering, and with DNS support enabled:  
+ The reverse DNS lookup for the peer VPC's IP address ranges, for example, 0.192.in-addr.arpa

  If you add an IPv4 CIDR block to a VPC, VPC Resolver adds an autodefined rule for the new IP address range.
+ If the other VPC is in another Region, the following domain names:
  + *Region-name*.compute.internal. The us-east-1 Region doesn't use this domain name.
  + *Region-name*.compute.*amazon-domain-name*. The us-east-1 Region doesn't use this domain name.
  + ec2.internal. Only the us-east-1 Region uses this domain name.
  + compute-1.amazonaws.com. Only the us-east-1 Region uses this domain name.

**A rule for all other domains**  
VPC Resolver creates a "." (dot) rule that applies to all domain names that aren't specified earlier in this topic. The "." rule has a type of **Recursive**, which means that the rule causes VPC Resolver to act as a recursive resolver.