What should the SysOps administrator do to meet these requirements?

By:
In: SOA-C02
Tagged:
With: 2 Comments
A company has an on-premises DNS solution and wants to resolve DNS records in an Amazon Route 53 private hosted zone for example.com.The company has set up an AWS Direct Connect connection for network connectivity between the on-premises network and the VPC.A SysOps administrator must ensure that an on-premises server can query records in the example.com domain.

What should the SysOps administrator do to meet these requirements?

Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.

Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.

Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.

Create a Route 53 Resolver outbound endpoint. Attach a security group to the endpoint to allow outbound traffic on TCP/UDP port 53 to the on-premises DNS servers.

Explanations:

Creating a Route 53 Resolver inbound endpoint allows the on-premises DNS server to query DNS records in the Route 53 private hosted zone. The security group must allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers to ensure that DNS queries can be received.

A Route 53 Resolver inbound endpoint is meant for receiving queries from on-premises servers, not sending responses to them. Outbound traffic rules would not be applicable for this scenario as the queries come from on-premises to Route 53.

A Route 53 Resolver outbound endpoint is not suitable for this situation because it is used to forward DNS queries from Route 53 to on-premises DNS servers, rather than allowing on-premises servers to query Route 53 directly. Therefore, this option does not fulfill the requirement.

Similar to option C, creating a Route 53 Resolver outbound endpoint is incorrect in this context because it is used for forwarding queries to on-premises DNS servers. The on-premises server needs to send queries to the Route 53 private hosted zone, not the other way around.

2026-03-22

2 Comments

  1. Mason
    Author

    As I understand it, the answer is:
    Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.

  2. Brian
    Author

    I calculate that the answer is:
    Create a Route 53 Resolver inbound endpoint. Attach a security group to the endpoint to allow inbound traffic on TCP/UDP port 53 from the on-premises DNS servers.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × 3 =