Question 85 of 1,705
Network DesigneasyMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the VPC must have both the enableDnsHostnames and enableDnsSupport attributes set to true. This configuration is required because the Amazon-provided DNS resolver, located at the VPC’s base CIDR plus two address, relies on these two flags to perform DNS resolution for a Route 53 private hosted zone. When both attributes are enabled, the resolver can query the private hosted zone associated with the VPC and return the custom domain names to EC2 instances; without them, the resolver will not process private zone records, even if the zone is correctly associated. On the AWS Certified Advanced Networking Specialty ANS-C01 exam, this concept tests your understanding of how VPC DNS settings interact with Route 53 private hosted zones—a common trap is assuming that simply associating the zone with the VPC is sufficient. A reliable memory tip is to think of the two attributes as the “DNS double-check”: enableDnsSupport turns on the resolver, and enableDnsHostnames gives instances the hostnames to resolve.

ANS-C01 Network Design Practice Question

This ANS-C01 practice question tests your understanding of network design. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company has an Amazon Route 53 private hosted zone associated with a VPC. The company wants to resolve custom domain names for resources within that VPC. Which configuration is required for EC2 instances in the VPC to resolve these private hosted zone records?

Question 1easymultiple choice
Review the full routing breakdown →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Ensure that the VPC has the enableDnsHostnames and enableDnsSupport attributes set to true

Option C is correct because for EC2 instances in a VPC to resolve records in a Route 53 private hosted zone, the VPC must have both the `enableDnsHostnames` and `enableDnsSupport` attributes set to `true`. These settings enable the VPC's built-in DNS resolver (the Amazon-provided DNS server at the VPC's base CIDR +2 address) to query the private hosted zone and return the custom domain names to instances. Without these attributes, the VPC DNS resolver cannot perform resolution for private hosted zones, even if the zone is associated with the VPC.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Configure a Route 53 Resolver inbound endpoint in the VPC

    Why it's wrong here

    An inbound endpoint allows on-premises resolvers to forward queries to the VPC, not for instances within the VPC to resolve private zones.

  • Create a Route 53 Resolver outbound endpoint in the VPC

    Why it's wrong here

    An outbound endpoint is used to forward DNS queries to on-premises resolvers, not for resolving private hosted zones within the VPC.

  • Ensure that the VPC has the enableDnsHostnames and enableDnsSupport attributes set to true

    Why this is correct

    These settings enable DNS resolution within the VPC using the Route 53 Resolver, allowing instances to resolve private hosted zone records.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Establish a VPC peering connection with the Route 53 hosted zone

    Why it's wrong here

    VPC peering is not required for private hosted zones; the zone is already associated with the VPC.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often assume a private hosted zone automatically works for all instances in the VPC, overlooking the mandatory VPC DNS attributes (`enableDnsHostnames` and `enableDnsSupport`) that must be enabled for the VPC's DNS resolver to query the private hosted zone.

Detailed technical explanation

How to think about this question

The Amazon-provided DNS server (at the VPC's base CIDR +2, e.g., 10.0.0.2) acts as a conditional forwarder for private hosted zones associated with the VPC. When `enableDnsSupport` is `true`, the VPC uses this DNS server; when `enableDnsHostnames` is `true`, EC2 instances receive public DNS hostnames (if in a default VPC) and the DNS server can resolve private hosted zone records. A common real-world scenario is when a VPC is created via CloudFormation without these attributes enabled by default, causing private hosted zone resolution to fail until they are explicitly set.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related ANS-C01 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free ANS-C01 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this ANS-C01 question test?

Network Design — This question tests Network Design — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Ensure that the VPC has the enableDnsHostnames and enableDnsSupport attributes set to true — Option C is correct because for EC2 instances in a VPC to resolve records in a Route 53 private hosted zone, the VPC must have both the `enableDnsHostnames` and `enableDnsSupport` attributes set to `true`. These settings enable the VPC's built-in DNS resolver (the Amazon-provided DNS server at the VPC's base CIDR +2 address) to query the private hosted zone and return the custom domain names to instances. Without these attributes, the VPC DNS resolver cannot perform resolution for private hosted zones, even if the zone is associated with the VPC.

What should I do if I get this ANS-C01 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on ANS-C01

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A network engineer runs the AWS CLI command shown in the exhibit. The VPC has an Amazon Route 53 private hosted zone associated. What is the impact of this setting?

easy
  • A.No instances in the VPC can resolve DNS records from the private hosted zone.
  • B.Only instances in public subnets can resolve private hosted zone records.
  • C.The DHCP option set must be updated to provide DNS resolution.
  • D.The private hosted zone is automatically deleted.

Why A: Option B is correct because when DNS support is disabled, instances in the VPC cannot use the DNS resolution provided by the VPC's Route 53 Resolver, including private hosted zones. Option A is incorrect because the VPC's DNS resolution affects all resources. Option C is incorrect because the private hosted zone is still associated but not resolvable. Option D is incorrect because the DHCP option set is separate.

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This ANS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the ANS-C01 exam.