Private DNS Resolver

Internal-only DNS.

Overview

A private DNS resolver runs internal-only DNS resolution: internal records (db.internal, api.internal) resolve only inside the VPC; external queries flow through the same resolver to the internet. Five primitives carry the architecture: internal-only zones, conditional forwarding, query logging, split-horizon, caching. The result is secure, observable, fast DNS.

• Internal-only DNS zones. Records that resolve only inside the VPC. Supports private-only services without leaking names to public DNS.
• Conditional forwarding. Forward specific zones to internal vs external resolvers. Supports hybrid-cloud architectures cleanly.
• Query logging. Every internal DNS query logged. Supports security investigation and forensics.
• Split-horizon plus caching. Same name resolves differently from inside vs outside; internal resolver caches queries to reduce external lookup cost.

The approach

Managed resolver where possible (Route 53 Resolver, Cloud DNS, NS1), conditional forwarding for hybrid topologies, all queries logged for security, resolution time monitored, topology documented per zone. Managed reduces operational burden; logging is what unlocks the security value.

• Managed resolver. Route 53 Resolver, Cloud DNS, NS1 reduce operational burden. Default for AWS/GCP-heavy stacks.
• Conditional forwarding. Internal zones to internal resolvers, external to public. Supports hybrid cloud.
• Query logging. All queries logged for security investigation. Forensic capability available years later.
• Resolution-time monitoring plus documented topology. Slow DNS produces slow services; per-zone resolver and forwarder rules captured for operational reviews.

Why this compounds

Each year of private-resolver operation produces investigation patterns the team did not have before. Security teams see DNS-based exfiltration attempts; SREs see service-discovery patterns; cost teams see how much traffic stays internal. By year two, DNS query logs are a routine investigation surface.

• Better security. Internal records do not leak to public DNS. Real privacy.
• Better observability. Query logs support security investigation. Forensics available years later.
• Better performance. Internal queries do not traverse the internet. Resolution stays fast.
• Year-one investment, year-two habit. First resolver is the investment; subsequent integrations inherit the patterns.