What should the SysOps administrator do to meet these requirements?
Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.
Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.
Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.
Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.
Explanations:
Creating a Route 53 Resolver inbound endpoint allows the on-premises DNS server to query DNS records in the Route 53 private hosted zone. The security group must allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers to ensure that DNS queries can be received.
A Route 53 Resolver inbound endpoint is meant for receiving queries from on-premises servers, not sending responses to them. Outbound traffic rules would not be applicable for this scenario as the queries come from on-premises to Route 53.
A Route 53 Resolver outbound endpoint is not suitable for this situation because it is used to forward DNS queries from Route 53 to on-premises DNS servers, rather than allowing on-premises servers to query Route 53 directly. Therefore, this option does not fulfill the requirement.
Similar to option C, creating a Route 53 Resolver outbound endpoint is incorrect in this context because it is used for forwarding queries to on-premises DNS servers. The on-premises server needs to send queries to the Route 53 private hosted zone, not the other way around.
As I understand it, the answer is:
Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.