1

Cannot resolve IP address of a private AWS RDS database

I work from home. I use NextDNS. My company uses AWS RDS clusters in private subnets. The RDS endpoints are private so they're in private CIDR ranges (eg: 10.x.x.x). However, the DNS records are public. I can resolve these addresses using Google/Cloudflare DNS services, but I cannot resolve them with NextDNS:

# Cloudflare
dig @1.1.1.1 <private_rds>.rds.amazonaws.com
;; ANSWER SECTION:
<dbname>.<unique_id>.<aws_region>.rds.amazonaws.com. 5 IN A 10.1.2.3

# Google
dig @8.8.8.8 <private_rds>.rds.amazonaws.com
;; ANSWER SECTION:
<dbname>.<unique_id>.<aws_region>.rds.amazonaws.com. 5 IN A 10.1.2.3

# Home router (NextDNS)
dig <private_rds>.rds.amazonaws.com
;; ANSWER SECTION:
<dbname>.<unique_id>.<aws_region>.rds.amazonaws.com. IN A

 

I am aware of the DNS Rebind protection interfering with public DNS names resolving to private IP addresses, but I have whitelisted *.amazonaws.com to get around this. So my NextDNS logs show that lookup request came through, was not filtered or blocked. But NextDNS fails to resolve the address while other providers do not.

1 reply

null
    • Lalit_Kapoor
    • 2 mths ago
    • Reported - view

    For me it turned out that DNS rebind protection was turned on, on the router itself (and off in nextdns). I had to put in some exception rules for my ip/netmasks. This isn't ideal.

    I don't have a problem if I use cloudflare as the DNS settings in my router. Something about the metadata coming back must be raising a flag in dnsmasq (what my router is using) and then denying the dns request.

     

    I'd love to hear from the NextDNS team about this one.

Content aside

  • 1 Likes
  • 2 mths agoLast active
  • 1Replies
  • 109Views
  • 2 Following