DNS Server Configuration for Aviatrix Gateways

Aviatrix Gateways use a well-known public DNS server for their hostname resolutions. This is to ensure the gateways can access services such as AWS SQS to retrieve messages from the Aviatrix Controller regardless of the underlying connectivity. Even if a VPC is set up with private DNS via its DHCP options for EC2 instances, Aviatrix gateways still rely on the public DNS for their own hostname resolutions.

However, Aviatrix also provides the option to use the Cloud VPC/VNet private DNS Server. Enabling this instructs the gateway to use the VPC/VNet DNS configured via DHCP options, replacing the Aviatrix default DNS server.

This is useful when Aviatrix gateways need to resolve private DNS names, such as an on-premises log server or non-HTTP/HTTPS FQDNs with Egress Legacy features.

For instance, if you enable Logging on the Aviatrix Controller, all Aviatrix Gateways forward their log information to the configured log server. But if the log server is deployed on-premises with a private DNS name, the Aviatrix gateway’s default DNS server cannot resolve the domain name of the private log server. By enabling the VPC/VNet DNS server, the gateway will start to use the VPC/VNet DNS server which should resolve the private DNS name of the log server.

Another use case is when Aviatrix Egress Legacy FQDN on Aviatrix Controller is enabled for non-HTTP/HTTPS FQDNs, the Aviatrix gateway must use the VPC/VNet’s DHCP option to accurately obtain the IP address of a given hostname.

If your VPC/VNet DNS server is on-premises or only accessible over IPsec tunnels, HA failover on Spoke gateways can cause issues. When the primary Spoke Gateway fails over, it loses connectivity to the private DNS because the tunnel is down and cannot re-establish until it receives AWS SQS messages from the Controller. This results in the tunnel staying down. Using the Aviatrix Default DNS server on the Spoke Gateway resolves this issue.