I launched an EC2 instance in a VPC and expected it to resolve DNS names using Route 53, but when I tried curl https://aws.amazon.com, the instance returned “Could not resolve host.” I had valid DNS settings in DHCP options, or so I thought, but the resolver wasn’t responding. In a hybrid environment, I also needed private hosted zones to resolve on-premises DNS, which required Route 53 Resolver endpoints. In this post, I’ll walk through exactly what causes this and how to fix it.

The Problem

EC2 instances inside your VPC can’t resolve domain names. Commands like curl, wget, and dig all fail with DNS resolution errors. Private hosted zone records don’t resolve, or on-premises DNS isn’t reachable. The instance has internet connectivity but DNS is broken.

Here’s what the error looks like from inside an EC2 instance:

$ curl https://aws.amazon.com
curl: (6) Could not resolve host: aws.amazon.com

$ nslookup example.internal
Server:		169.254.169.253
Address:	169.254.169.253#53

** server can't find example.internal: SERVFAIL
Issue Description
Public DNS Names Don’t Resolve curl/wget fail on external hostnames
Private Hosted Zone Records Fail Internal domain names return NXDOMAIN
Default Resolver (169.254.169.253) Unresponsive VPC DNS resolver IP not responding
On-Premises DNS Unreachable Hybrid environments can’t resolve corporate DNS
DHCP Option Set Misconfigured Custom DNS server IP is wrong or unreachable

Why Does This Happen?

  • VPC doesn’t have enableDnsSupport enabled: AWS provides a default DNS resolver at 169.254.169.253 in every VPC. If DNS support is disabled, this resolver doesn’t work. Most instances default to this resolver via DHCP.

  • Custom DHCP option set points to an unreachable DNS server: If you created a custom DHCP option set with a DNS server IP, that server must be reachable and functional. If it’s down or if the IP is wrong, DNS fails for all instances using that DHCP set.

  • Private hosted zone not associated with the VPC: Route 53 private hosted zones must be explicitly associated with each VPC. If the zone exists but isn’t associated, the VPC won’t be able to resolve those private records.

  • Route 53 Resolver not configured for hybrid DNS: For on-premises DNS resolution, you need Route 53 Resolver inbound and outbound endpoints. Without them, on-premises domain queries will fail or route to the internet.

  • Security group or Network ACL blocking port 53: If a security group or NACL denies UDP/TCP port 53 (DNS), queries to the resolver will timeout. This is rare but possible if you’ve restricted egress from the subnet.

The Fix

First, enable DNS support on the VPC if it’s not already enabled:

aws ec2 modify-vpc-attribute \
  --vpc-id vpc-0a1b2c3d4e5f6g7h8 \
  --enable-dns-support

aws ec2 modify-vpc-attribute \
  --vpc-id vpc-0a1b2c3d4e5f6g7h8 \
  --enable-dns-hostnames

Verify the settings are enabled:

aws ec2 describe-vpc-attribute \
  --vpc-id vpc-0a1b2c3d4e5f6g7h8 \
  --attribute enableDnsSupport \
  --query 'EnableDnsSupport.Value'

Check the DHCP options currently associated with the VPC:

aws ec2 describe-dhcp-options-sets \
  --filters "Name=key,Values=domain-name-servers" \
  --query 'DhcpOptionsSets[*].[DhcpOptionsId,DhcpConfigurations]' \
  --output table

Get the VPC’s current DHCP option set:

aws ec2 describe-vpcs \
  --vpc-ids vpc-0a1b2c3d4e5f6g7h8 \
  --query 'Vpcs[0].DhcpOptionsId'

Using Default DNS Resolver

For most cases, use the default AWS DNS resolver. If you’ve associated a custom DHCP option set, switch back to the default:

aws ec2 associate-dhcp-options \
  --dhcp-options-id default \
  --vpc-id vpc-0a1b2c3d4e5f6g7h8

From an EC2 instance, test the default resolver:

dig @169.254.169.253 aws.amazon.com

This should return an answer. If it doesn’t, DNS support might still be disabled.

Fix Custom DHCP Option Sets

If you need a custom DNS server, verify the server IP is correct and reachable. Check the DHCP option set configuration:

aws ec2 describe-dhcp-options \
  --dhcp-options-ids dopt-0a1b2c3d4e5f6g7h8 \
  --query 'DhcpOptions.DhcpConfigurations[?Key==`domain-name-servers`]'

If the DNS IP is wrong, create a new DHCP option set:

aws ec2 create-dhcp-options \
  --dhcp-configurations \
    Key=domain-name-servers,Values=10.0.0.2,AmazonProvidedDns

Associate it with the VPC:

aws ec2 associate-dhcp-options \
  --dhcp-options-id dopt-0new1234567890 \
  --vpc-id vpc-0a1b2c3d4e5f6g7h8

Associate Private Hosted Zone with VPC

Get your private hosted zone ID:

aws route53 list-hosted-zones-by-vpc \
  --vpc-id vpc-0a1b2c3d4e5f6g7h8 \
  --vpc-region us-east-1 \
  --query 'HostedZonesSummary[*].[HostedZoneId,Name]'

If the zone isn’t associated, associate it:

aws route53 associate-vpc-with-hosted-zone \
  --hosted-zone-id Z1234567890ABC \
  --vpc VPCRegion=us-east-1,VPCId=vpc-0a1b2c3d4e5f6g7h8

Set Up Route 53 Resolver for Hybrid DNS

For on-premises DNS, create an inbound endpoint (receives queries from on-prem):

aws route53resolver create-resolver-endpoint \
  --name on-prem-resolver \
  --direction INBOUND \
  --ip-address-requests SubnetId=subnet-0a1b2c3d4e5f6g7h8 \
  --security-group-ids sg-0a1b2c3d4e5f6g7h8

Create an outbound endpoint (sends queries to on-prem):

aws route53resolver create-resolver-endpoint \
  --name on-prem-outbound \
  --direction OUTBOUND \
  --ip-address-requests SubnetId=subnet-0a1b2c3d4e5f6g7h8 \
  --security-group-ids sg-0a1b2c3d4e5f6g7h8

Create resolver rules for on-premises domains:

aws route53resolver create-resolver-rule \
  --name corporate.internal \
  --type FORWARD \
  --domain-name corporate.internal \
  --target-ips Ip=10.100.0.2,Port=53 \
  --resolver-endpoint-id rslvr-out-0a1b2c3d4e5f6g7h8

How to Run This

  1. Enable DNS support and hostnames on the VPC (required for all cases).
  2. Use the default AWS DNS resolver (169.254.169.253) for most setups.
  3. Associate private hosted zones with the VPC explicitly.
  4. For hybrid DNS, create Route 53 Resolver inbound/outbound endpoints.
  5. Test resolution from instances: dig @169.254.169.253 example.com.
  6. Verify security groups and NACLs allow port 53 (UDP and TCP).

Is This Safe?

Yes, enabling DNS support and configuring DHCP options are safe. These are standard VPC configurations that don’t affect running instances.

Key Takeaway

DNS in VPCs relies on either AWS’s default resolver (if DNS support is enabled) or custom DNS servers specified in DHCP options. Always enable DNS support first. For private zones, explicitly associate them. For hybrid environments, use Route 53 Resolver endpoints—they’re more robust than trying to manually forward queries.

Have questions or ran into a different networking issue? Connect with me on LinkedIn or X.