Private route 53 has nameserver. To use private route 53, do I have to purchase the domain directly and connect to the name server?
There is a cname in public route 53 but not in private route 53. I don't know if you create a domain yourself or how to apply the domain and the name server works.
Neither a new domain acquisition nor the setup of new name servers is necessary in order to use Private Route 53. Domain name resolution on the public internet cannot be done using Private Route 53; it can only be done inside your VPC.
In Route 53, construct a private hosted zone that will let you utilize unique domain names for your internal resources. A domain name specific to your business, such as mycompany.local, is often created and linked to the private hosted zone to accomplish this. With the creation of the private hosted zone, you can construct DNS records that point to internal resources, including EC2 instances, RDS databases, and other resources in your VPC.
Related
Can Aws public hosted zone work without a registered domain?
I created a hosted zone for the domain name e.g example.com. keep in mind I don’t own nor register the domain name, I just used it for the hosted zone. Then I created the record to route traffic to my elasticbeanstalk application. It didn’t work.
Did it not work because I didn’t own the domain?
I have purchased a domain company.com and created a public sub-domain sales.company.com (a public hosted zone in route 53). I mapped(created A record) sub-domain to an internal application load balancer (ALB) i.e. this ALB can only be accessed within my company network. My understanding was a public sub-domain can be mapped to private internal ALB, but when i am trying to access this public sub-domain it is not reachable from internet and i get "This site can’t be reached".
Does ALB has to be a public ALB or is there anything else i need to fix here to make it publicly accessible ?
Since you are using a "public hosted zone in route 53", any A, CNAME or ALIAS record must be made to a public endpoint avaialble over the internet. From docs:
A public hosted zone is a container that holds information about how you want to route traffic on the internet for a specific domain.
Thus your ALB must be publicly available. If you want to keep it as an internal ALB (private), you have to create private hosted zone. This way you can access it only from within a VPC, not over the internet unless you are using VPN.
Does AWS Route53 DNS support any kind of proprietary access list (ACL) to limit some DNS records (TXT records) to the public, but still keep those TXT records reachable from within AWS account?
I know DNS server's intention is to expose all DNS records to public, but some TXT records could be too revealing about implementation.
Example: Kubernetes "external DNS controller" which creates A-records and adds the TXT records. DNS controller relies on "owner" attribute in TXT record to determine if it allows making changes to that record, so TXT records can't be removed entirely.
service-a.example.com. A 192.0.2.4
service-a.example.com. TXT "heritage=external-dns,external-dns/owner=eks/my-eks-cluster,external-dns/resource=service/test/my-svc2"
R53 offers private hosted zones that you can associated with your VPCs so that internal traffic can add/updated/resolve records while keeping this information private. Perhaps you can leverage a private hosted zone for DNS that needs to remain internal.
I guess I found the answer myself...
Yes, I am aware of private zones in Route53, but honestly I am trying to avoid them because it is impossible to request AWS SSL cert for private zone unless you also run AWS Private CA (which is expensive). Second, you would need to adjust "split DNS" on your VPN server which often is not fully automated, so public DNS zone is much preferred.
Yes, I realize that filtering DNS records by type is an anti-pattern for DNS as a concept, so it is probably not implemented anywhere.
The solution based on AWS route53 could be the following:
create public DNS zone via aws servicediscovery create-public-dns-namespace
run Kubernetes externalDNS controller with --provider=aws-sd
In that case the externalDNS controller will register Kubernetes service/ingress in AWS Service Discovery, where it will store the "description" record that shows your internal implementation. At the same time, the public DNS zone will only contain A-record which is pretty harmless.
In that case it is possible to register your Private& Public Ingresses/ALBs in the same public DNS zone, like this:
pub-svc1.my.domain
pub-svc1.private.my.domain
That way all VPN clients would be able to resolve both types of names - no need for extra Private DNS zone nor for extra "split DNS" VPN configuration; plus you could request public SSL certs via AWS for your *.private.my.domain.
We can connect to our AWS EC2 only from within the company VPN. I made a request to create DNS names for the servers. This would be made using AWS Route 53.
The operations team says that having a DNS name is a security risk and the explanation is
"Names are easy to guess compared to IP addresses"
"setting up a DNS for a sever in the public zone directly exposes the servers origin IP and opens up a potential to the DDOS attacks as well as subnet vulnerability"
The servers are not exposed outside our VPN. We have separate AWS accounts for different teams and public zone here refers to a different team.
Does the operations team have valid argument.
You should create a Route 53 Private Hosted Zone so the DNS name can't be resolved publicly.
You then need to configure the DNS server in the office to incorporate DNS responses from Route 53 by using a forwarder.
I don't know the full details, but here's some articles that should help:
Resolving DNS Queries Between VPCs and Your Network - Amazon Route 53
Resolve a Private Hosted Zone over VPN with Directory Service
Use an Inbound Endpoint to Resolve Records in a Private Hosted Zone From a Remote Network
I want to map an AWS instance to a registered domain from my national domain provider.
In my domain's panel, I am asked to provide:
Primary DNS Hostname
Primary DNS Netaddress
Secondary DNS Hostname
Secondary DNS Netaddress
Here's my AWS instance:
and my Domain panel:
In the Primary DNS Hostname and Primary DNS Netaddress fields, I have included my instance's Public DNS and Public IP respectively.
Did I provide correct data in my domain's panel? Additionally, where can I find my instance's Secondary DNS Hostname and DNS Netaddress?
Thank you
Unless you are running your down DNS server, you are doing this wrong.
You should connect your registrar ('domain provider') to Amazon's Route 53. Here are Amazon's steps to migrate to Route 53. There will be four nameservers to use in your hosted zone ('dns domain', roughly). If your registrar only takes two, that's okay.
I'd very strongly suggest not entering anything in the IP ('netaddress'), as AWS changes the IPs.
If you have any trouble, share the registrar you are using.