I wish its this, but I dont think so. If it was this, wouldn't doing
dig @192.168.30.8 neptune.external.example.com work at least? The
host 192.168.30.8 being in the office? How is your VPC? Do you have
public and private and NAT between? Or just a flat public? I went
with the later as I assumed IPA don't like working over NAT.
Yeah most of this DNS is on-premise; again because of a corporate desire
to use AD for DNS. We basically point all our nameservers at the
on-prem domain controllers and don't use FreeIPA for DNS records really
much at all (even the _SVR records that enable FreeIPA auto-discovery)
-- but no network, DNS query or technical issues at all with DNS being
outside of AWS -- works fine for us even DNS queries made on the IPA
masters. For rare cases where that did not work (HPC use cases) we
did the DNSMasq thing so we could inject custom reverse DNS responses
while still delegating other queries back to the domain controllers.