Private VPC Hosted Zone is using .local TLD
AWS VPCs offer the ability to use Private Hosted Zones, allowing DNS queries within the VPC to be resolved by the hosted zone first. Matching records are served from this hosted zone before attempting to resolve queries over the public internet. This enables dynamic records that can point to local services within the VPC, bypassing the need to access public-facing versions of those services.
This pattern is especially useful for shared resources like database endpoints, internal APIs, or Bastion hosts that may exist in every project environment. By resolving these services locally within the VPC, you can enhance security, reduce latency, and simplify internal networking.
However, when configuring a Private Hosted Zone, you must choose a top-level domain (TLD) for internal use. While it might seem convenient to use private TLDs such as .local, .private, or .home, this is not recommended. These private TLDs were never standardized, leading to inconsistent behavior across different operating systems and software. For example, using .local has differing interactions with resolved often found on Ubuntu systems. Depending on your Ubuntu version .local TLD domains will not resolve to the records in the hosted zone leaving unresolved queries.
As a best practice, use a private subdomain of a public domain that your organization owns. For example, if your company owns organization.com, you could create a subdomain like private.organization.com for internal use. This approach avoids the issues with private TLDs and prevents conflicts with any public records as the public records for the subdomain private.organization.com are under your organisation’s control.
Additionally, this allows for the provisioning of TLS certificates for this domain to be published or shared with organisation accounts, removing the need for development teams to provision their own certificates. This will assist with TLS everywhere requirements should your organisation require that level of security.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
