I am controlling traffic in and out to subnet using network ACL. I have java services running in EC2 redhat instance and other some services which are running outside. I am using route53 DNS to communicate between java services and other services which are running outside.

I am getting the error hostname is not able to resolve in java service if 
I allow traffic to the protocol DNS(UDP) 53.
  Inbound DNS(UDP) 53
  Outbound DNS(UDP) 53

It's working fine if I allow all traffic to UDP in ACL.
  Inbound All UDP
  Outbound All UDP

What will be the correct protocol and port which has to be configured in both inbound and outbound in network ACL to resolve the above error?

1 Answers

Michael - sqlbot On Best Solutions

You'll find that this also works:

Outbound UDP 53
Inbound UDP Any

Network ACLs are stateless, so the answer to your question is actually unrelated to Route 53, but rather depends on what source port your Java resolver is using. Presumably, it's an ephemeral port. You'll need to identify that port or port range and allow it inbound.

Your configuration doesn't work because it assumes you are sending the requests using 53 as the source port. Unlike security groups, Network ACLs don't automatically allow response traffic matching allowed requests. Your configuration allows the request to go out, but doesn't allow the response back in. You'll find the same problem if you try to allow, for example, HTTPS. 443 in and out is not the correct configuration there, either -- it's 443 out and ephemeral range in.