When running DNS to support an Active Directory domain within Amazon's EC2 and MS Azure I've observed some subtle differences with the set-up of the forwarders for resolution of external name spaces.
To add context to the above, I'm running AD domains within the Azure and AWS domains and therefore domain joined servers are configured to use the DNS server on the Active Directory Domain Controller for DNS in order to support normal domain membership capabilities. Should the member server or client require name resolution for external namespaces then additional configuration is required in some cases, as the client only makes DNS queries to Domain Controller and therefore can't leverage the inbuilt functionality provided by the platform.
In Azure, standalone machines using the out of the box configuration, will rely on the Azure DNS option on the VNET which will resolve any external name queries by via the Azure infrastructure as defined by the option illustrated below for when viewing the VNET >> DNS Servers.
The same is true for VPCs in AWS, their default DHCP option set will be configured with 'AmazonProvidedDNS' which will provide a reserved IP address at the base of the VPC address space (the last octet incrememted by 2) and will be enabled to service name resolution for external DNS names.
When considering the scenario of configuring forwarding for name queries from a Domain Controller or other hosted DNS server and also assuming that it is undesirable for the servers to have direct access to the Internet via the VNET default routing or public IP address assignment. Therefore I have configured the forwarders on the DNS Server with the Azure/AWS supplied recursive resolvers and remove the Root Hints ensuring that there is a single defined path for name resolution. This approach ensures that any name resolution queries are answered by the Domain Controllers for the name space for which it is authoritative and any external name space queries are forwarded within the VPC/VNET and answered by the platform and sent back to the DC. This ensures that no DNS traffic directly originating or destined for an internal server is exposed to the outside world.
The recursive resolvers that can be used in as forwarders are listed below;
- Azure DNS - 168.63.129.16
- AWS DNS - 169.254.169.253