You don’t need to setup a DNS server or Route 53 Zone, you can use the route53resolver. It allows a conditional forwarder for any domain you wish and you can point it straight at an IPA DNS server.
It’s built in to AWS: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-getting-started.html + https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html
 (Announcment: https://aws.amazon.com/blogs/aws/new-amazon-route-53-resolver-for-hybrid-clouds/ ) and works great with IPA and even MS AD.

John

On 23 May 2019, at 18:53, Stepan Vardanyan via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

After a lot of replies I see that using VPN tunnels to reach servers is the best option.

But, there is DNS issue also.
I see two options with private zone (both are unwanted for us):
- set up DNS forwarding to our private DNS server in each AWS account (using bind9 for example);
- create in Route53 zone with exact same domain name and populate it with actual SRV records (this one is pretty ugly).
So, what about using public DNS domain in FreeIPA (say ipa.example.com)?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org