Troubleshooting EC2 Instance Resolution with On-Premise Resources

Troubleshooting EC2 Instance Resolution

Prev Question Next Question

Question

Your company has an on-premise environment with Active Directory for authentication and a DNS Server.

You are trying to make the EC2 Instances in your AWS VPC resolve the on-premise resources , but it does not seem to work.

What could be the reason for this.

Choose 2 answers from the options given below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and B.

The Network ports used by a DNS Server is port 53

Hence these ports need to be open in the Network Access Control Lists.

During DNS resolution, DNS messages are sent from DNS clients to DNS servers or between DNS servers.

Messages are sent over UDP and DNS servers bind to UDP port 53

When the message length exceeds the default message size for a User Datagram Protocol (UDP) datagram (512 octets), the first response to the message is sent with as much data as the UDP datagram will allow, and then the DNS server sets a flag indicating a truncated response.

The message sender can then choose to reissue the request to the DNS server using TCP (over TCP port 53)

For more information on NACL's, please refer to below URL:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

The issue is related to the inability of the EC2 instances to resolve on-premise resources using the on-premise DNS server. To resolve this issue, we need to identify the potential reasons for the failure. There could be various reasons, but we need to choose two correct answers from the options given.

Answer A: The NACL is blocking UDP port 53 outbound. Network Access Control Lists (NACLs) are stateless firewalls that control traffic in and out of a subnet. By default, all inbound and outbound traffic is allowed in a NACL, and we need to explicitly configure rules to deny traffic. UDP port 53 is used for DNS queries, and if the NACL is blocking UDP port 53 outbound, the EC2 instances will not be able to resolve the on-premise resources using the on-premise DNS server. Therefore, this could be a potential reason for the failure.

Answer B: The NACL is blocking TCP port 53 outbound. TCP port 53 is also used for DNS queries, and if the NACL is blocking TCP port 53 outbound, the EC2 instances will not be able to resolve the on-premise resources using the on-premise DNS server. Therefore, this could be another potential reason for the failure.

Answer C: The Security Group is blocking port 80 Inbound. Security Groups are stateful firewalls that control inbound and outbound traffic for an EC2 instance. Port 80 is used for HTTP traffic, and if the Security Group is blocking port 80 inbound, the EC2 instances will not be able to receive HTTP traffic. However, this is not related to the DNS resolution issue, so this is not a potential reason for the failure.

Answer D: The Security Group is blocking port 80 Outbound. Port 80 outbound is used for HTTP traffic initiated by the EC2 instances. However, this is not related to the DNS resolution issue, so this is not a potential reason for the failure.

Therefore, the potential reasons for the failure are A and B, which indicate that the NACL is blocking UDP and TCP port 53 outbound.