DOC-1678 DNS forwarding (#425)

* DOC-1678 DNS forwarding

* fix formatting

* coderabbit suggestions

* edits

* recommend Route 53

Author: micheleRP

modules/networking/pages/aws-privatelink.adoc

@@ -28,6 +28,8 @@ After <<get-a-cloud-api-access-token,getting an access token>>, you can <<create
 
 TIP: In Kafka clients, set `connections.max.idle.ms` to a value less than 350 seconds. 
 
+NOTE: Enabling PrivateLink changes private DNS behavior for your cluster. Before configuring connections, review <<dns-resolution-with-privatelink>>.
+
 == Get a Cloud API access token
 
 include::networking:partial$private-links-api-access-token.adoc[]
@@ -188,6 +190,10 @@ curl -X GET \
     $PUBLIC_API_ENDPOINT/v1/clusters/$CLUSTER_ID | jq '.cluster.aws_private_link.status | {service_name, service_state}'
 ----
 
+== DNS resolution with PrivateLink
+
+include::networking:partial$dns_resolution.adoc[]
+
 == Configure PrivateLink connection to Redpanda Cloud
 
 When you have a PrivateLink-enabled cluster, you can create an endpoint to connect your VPC and your cluster.
@@ -203,6 +209,8 @@ For example, if the bootstrap server URL is: `seed-3da65a4a.cki01qgth38kk81ard3g
 CLUSTER_DOMAIN=<cluster_domain>
 ----
 
+NOTE: Use `<cluster_domain>` as the domain you target with your DNS conditional forward (optionally also `*.<cluster_domain>` if your DNS platform requires a wildcard).
+
 === Get name of PrivateLink endpoint service
 
 The service name is required to <<create-vpc-endpoint,create VPC private endpoints>>. Run the following command to get the service name:

modules/networking/pages/configure-privatelink-in-cloud-ui.adoc

@@ -23,6 +23,10 @@ Consider using the endpoint service if you have multiple VPCs and could benefit
 
 TIP: In Kafka clients, set `connections.max.idle.ms` to a value less than 350 seconds. 
 
+== DNS resolution with PrivateLink
+
+include::networking:partial$dns_resolution.adoc[]
+
 == Enable endpoint service for existing clusters
 
 . In the Redpanda Cloud UI, select your https://cloud.redpanda.com/clusters[cluster^], and go to the *Cluster settings* page.

modules/networking/partials/dns_resolution.adoc

@@ -0,0 +1,17 @@
+PrivateLink changes how DNS resolution works for your cluster. When you query cluster hostnames outside the VPC that contains your PrivateLink endpoint, DNS may return private IP addresses that aren't reachable from your location.
+
+To resolve cluster hostnames from other VPCs or on-premise networks, set up DNS forwarding using Route 53 Resolver:
+
+. In the VPC that contains your PrivateLink endpoint, create a Route 53 Resolver inbound endpoint.
++
+Ensure that the inbound endpoint's security group allows inbound UDP/TCP port 53 from each VPC or on-prem network that will forward queries.
+
+. In each other VPC that must resolve the cluster domain, create a Resolver outbound endpoint and a forwarding rule for `<cluster_domain>` that targets the inbound endpoint IPs from the previous step. Associate the rule to those VPCs.
++
+The cluster domain is the suffix after the seed hostname. For example, if your bootstrap server URL is: `seed-3da65a4a.cki01qgth38kk81ard3g.byoc.dev.cloud.redpanda.com:9092`, then `cluster_domain` is: `cki01qgth38kk81ard3g.byoc.dev.cloud.redpanda.com`.
+. For on-premises DNS, create a conditional forwarder for `<cluster_domain>` that forwards to the inbound endpoint IPs from the earlier step (over VPN/Direct Connect).
++
+[IMPORTANT]
+====
+Do not configure forwarding rules to target the VPC's Amazon-provided DNS resolver (VPC base CIDR + 2). Rules must target the IP addresses of Route 53 Resolver endpoints.
+====