I was wrestling with the same issue today and ran across your post. Got me thinking more than I was, thanks for pushing me out of my box.
Some example data for this post:
VPN public server address are as such:
12.13.14.15
22.23.24.25
32.33.34.35
...
Setup to slave DNS in AWS (using micro instances as they are freeeeeee) with EIPs
- put them in different regions so if one region goes down you have backup
- you could use a multi-zone setup also to allow for zone failure.
ns_xy (1.2.3.4)
ns_xz (5.6.7.8)
Fill the slaves with data from the masters from where ever they might live.
I am assuming you are using openVPN, but other VPN servers have the same type of ability - an assumption.
Setup the VPN server to push options:
# these options push the DNS entries to the clients
# All VPN servers have similar setup
--push dhcp-option DNS 1.2.3.4 -push dhcp-option DNS 5.6.7.8
Set up your VPN to push a host route to each of DNS slave servers. So, all connections to 1.2.3.4 and 5.6.7.8 happen via the VPN system and pop out the VPN server public address (e.g. 12.13.14.15);
--push route 1.2.3.4 255.255.255.255
--push route 5.6.7.8 255.255.255.255
Do this on each VPN connection so no matter what order the VPNs are established they get the same DNS resolvers.
Now back at AWS, set up the security group so it only allows DNS (53) from 12.13.14.15, 22.23.24.25, 32.33.34.35,...
With your DNS servers locked down, only your VPN boxes will be able to resolve against them. This stops sniffers and dictionary attacks against your DNS from script kiddies - important.
With your clients having a host route back to the DNS slaves, via your VPN box, only your clients will be able to access them, and only when they are on the VPN.
With the AWS DNSs set as slaves you can do what ever you want in your masters for x.com, y.com z.com and the slaves at AWS will get the updates in a timely manor.
This was not my first solution, but I think it will be the one I am going to build. If you have input on this, please suggest some, if you solved this some other way, please let me know. --tls