AWS Certified Advanced Networking - Specialty (#51)

You use a VPN to extend your corporate network into a VPC. Instances in the VPC are able to resolve resource records in an Amazon Route 53 private hosted zone. Your on-premises DNS server is configured with a forwarder to the VPC DNS server IP address. On-premises users are unable to resolve names in the private hosted zone, although instances in a peered VPC can. What should you do to provide on-premises users with access to the private hosted zone?

Create a proxy resolver within the VPC. Point the on-premises forwarder to the proxy resolver.
Modify the network access control list on the VPC to allow DNS queries from on-premises systems.
Configure the on-premises server as a secondary DNS for the private zone. Update the NS records.
Update the on-premises forwarders with the four name servers assigned to the private hosted zone.