Say I have the following record:
*.foo.bar CNAME *.baz.qux
If I do a DNS query on test.foo.bar, will it return the record for test.baz.qux? Or will it do something else?
EDIT: There's a reason for wanting to do this. AWS's Client VPN provides an endpoint with random prefix, e.g. *.cvpn-endpoint-foo.bar.clientvpn.us-west-2.amazonaws.com, meaning it will accept a connection with any value used for the prefix (used so there's no DNS caching of the endpoint's A records, corresponding to OpenVPN's remote-random-hostname option). I would like to provide a connection endpoint like *.vpn.mydomain.com. So, I was wondering if there was a way to do this, where a random prefix can be used with the custom domain and have it pass that through to the domain it CNAMEs to.
To summarize: is there a way I can use AWS's Client VPN random prefix via a custom DNS record?
I ran into this question after suffering the same confusion about wildcards and CNAMES. I managed to get a good solution thanks to Yuri's answer putting me in the right direction.
Basically I just chose my own 'random' fixed subdomain for the VPN Endpoint and pointed my CNAME entry to it. So if the VPN Endpoint DNS Name is:
*.cvpn-endpoint-xxxxxx.prod.clientvpn.<region>.amazonaws.com
Then I use the following CNAME entry:
vpn.my-domain.com CNAME <random>.cvpn-endpoint-xxxxxx.prod.clientvpn.<region>.amazonaws.com.
The above entry handles clients without remote-random-hostname capability. I can then add another wildcard CNAME to catch clients with this option enabled:
*.vpn.my-domain.com CNAME vpn.my-domain.com
With these two entries I can happily distribute vpn config that points to vpn.my-domain.com and re-map this in Route53 if I ever need to replace the VPN Endpoint.
Slightly related documentation: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/troubleshooting.html#resolve-host-name
Such CNAME record is illegal. You cannot have wildcard * as CNAME value, only single domain name at the RHS of CNAME. You can have something like
*.foo.bar. CNAME zuka.baz.qux.
Also, note the dots at the end of domain names. Without them zone name will be appended.
Update To clarify this. '*' in the RHS is not wild card, it is
treated as regular domain name. So, unless you have host or subdomain named *.baz.qux any query for whatewer.foo.bar will return not found: 3(NXDOMAIN)
Related
I am trying to set cognito up with a custom domain.
I have a registered domain name, hosted zone with route53. let's say mydomain.com.
I also created certs for mydomain.com, *.mydomain.com in us-east-1 (N.Virginia) as document instructs.
When I tried my domain, cognito gave me an error saying that I must have an A record. I tried creating an Alias A record. But I don't have an actual Target. I just was to use something like auth.mydomain.com for logging in.
Since I couldn't make sense of an alias record I created a regular A record and set the target to a dummy ip 1.1.1.1,
Since I read that the target isn't really relevant for cognito.
At first it didn't work. But I thought that it's dns proportion thing and I tested it the next day and was able to add the domain to cognito.
My questions are:
Did I do right? Is it ok to set the A record to a dummy ip as long as my domain doesn't actually point to anything?
Is it possible to remove it after the association with cognito?
Why did it only work after a day? Is this DNA caching/propogation time?
Would that be the case with alias record? Or since alias is AWS aware it would be instant?
Thanks!
Generally speaking, your DNS should have an Apex (A) record pointing to something. If there's nothing yet, and although it is 100% not best practice, then yes, 1.1.1.1 will work (or anything, really).
Once you add your A record, head over to Amazon Certificate Manager to create your ACM certificate for your domain. Make sure your ACM certificate covers your subdomain, and verify it using DNS method. Verification takes about 5 minutes and once your certificate is verified, you'll be able to head over to the Cognito console to set up your custom domain using the certificate you just created.
I want to have instead of example.ddns.net example.com as my domain.
I've registered my domain at Amazon AWS
My question: How can I setup that it does this.
I tried to make an CNAME record and entered as Value my ddns.net domain.
But it shows following error.
RRSet of type CNAME with DNS name example.com. is not permitted at apex in zone example.com.
You can never use a CNAME at the apex of a zone, e.g. for example.com. You can only use it for hosts in the zone, such as www.example.com.
Options:
(Simple)
Use www.example.com. Create the CNAME. This will work as expected. You can then use an empty S3 bucket named example.com (the bucket name must be exactly the same as your domain name) along with an Alias record, to create a redirect to www.example.com, described here.
(Really simple)
Use www.example.com as the CNAME, as above, and then create an A record with the IP address shown at the top of this page. This of course is a third party dependency, so, do your due diligence. (I am not affiliated with this company.)
(More complex, but guaranteed to impress your friends)
Create a CloudFront web distribution. Use example.com as the Alternate Domain Name¹ and use the ddns hostname as the Origin Host. Then, in Route 53, create example.com as an A record, set Alias to Yes, and select or type the dxxxexample.cloudfront.net hostname that was assigned to your domain when you created it. Wait until the distribution status in the CloudFront console shows "Deployed." Surf to your site at example.com.
You'll be paying for CloudFront in this scenario, of course, so be sure to familiarize yourself with that.
¹ Alternate Domain Name. The CloudFront documentation also refers to this field as a CNAME. Disregard that. It is apparently a case of an unfortunate dumbing-down of the documentation, presumably because the term CNAME is so often casually used in name-based virtual hosting, so they called it what people expect it to be called. Sometimes this value will correspond to a CNAME record, but obviously not this time.
I have a static site hosted in a S3 bucket and a domain registered at Namecheap (e.g mydomain.com)
I would like people to access my site using the bare domain, (i.e without subdomain)
I added a DNS record like so..
Type = CName
Host = #
Value = [URL to S3 bucket]
This works but now emails to mailboxes on that domain (e.g hello#mydomain.com) don't work. I've read that this is because if a CNAME is used to specify the bare canonical name for a host you are not allowed to have any other resource records (e.g MX) for that host.
How can I get around this? I don't want to resort to adding a subdomain like www.
It isn't a valid configurarion to have a CNAME at the apex of a zone like this. The DNS provider should not even allow you to create it. Yes, it breaks your MX if you try it.
That's why Route 53 introduced A-record aliases. See the link mentioned in comments for an explanation. Alias records appear to behave like what people commonly assume a CNAME does, but they aren't CNAMEs and are not invalid at the apex.
To do this right, you need to use Route 53 as your authoritative DNS hosting provider.
One workaround is to create a bucket with www. at the beginning instead of the one you have now, create a www CNAME pointing to it, and then set your # A record to the value provided by a service like http://wwwizer.com, which redirects example.com → www.example.com.
I am not affiliated with that service but I have seen it used for this purpose.
I'm a little confused on what Aws is instructing me to do. They are telling me to transfer the name to Route 53 first which cost 12 bucks. Is there a way to not use Route 53 and still host my website using Aws?
Yes,
you can have your domain at any registrar and have your DNS zone hosted anywhere. Just modify DNS records to point to your AWS resources like ELB, EC2 or S3.
Amazon doesn't force you to use Route53.
Yes, this is pretty common.
In Route53, create a new zone for your domain. When you do this, you'll get the NS and SOA records created by default. There will be 4 NS entries. Add any other records you need.
Then, when you're ready to switcy, go to the godaddy DNS settings, and change the NS and SOA records to the values in the Route53 zone. By default, I think godaddy only shows 2 NS records, but you can add all 4.
AWS is boss, if you are trying to capitalize on the ACM and get a free SSL you do need to use Route53 to make it happen. Try to test a PTR - Pointer record to your ip address within the DNS to make everything working
Third Party Domain Registrar/DNS
Create a hosted zone through Route53 and erase all DNS/Nameservers
from your domain.
Add the four nameservers to your domain
registrar's DNS should have a mix of .org .com .net and .co.uk or
something similar. All four need to be insterted.
After creating your instance and having your domain pointed to it you will
need point the ip address to Route 53 with an A record. Keep it that
way for now
Generate a certificate with ACM as described above
Create an ELB as described above as well Now with the DNS first make
a *.domain.com A record to point to your dualstack.
Then delete the original A record that pointed to your ip address
Next make sure you point the A record now to your
dualstack.loadbalancer for your regular domain.com
Next, here was the crucial part for me, make a PTR - Pointer record
to your ip address with domain.com as the name
Viola free certificate will work with Wordpress
Oh, and if your design looks funky or any issues getting the green bar then it's something embeded so start with this plugin, make sure "HTTP_X_FORWARDED_PROTO (e.g. load balancer, reverse proxy, NginX)" is enabled and then move on from there with your typical ssl auditing. https://wordpress.org/plugins/ssl-insecure-content-fixer/11
A lot of cool info for AWS + Wordpress via bitnami and more details on the SSL here: https://community.bitnami.com/t/connecting-amazon-ssl-via-load-balancer-to-bitnami-aws-marketplace-instance/41460/29
Let me know if you have trouble getting started on actually launching the instance and getting wordpress up first. The domain pointing and ssl is one of the last steps.
I'm using all infrastructure on AWS and I need:
mydomain.com A ALIAS {S3-bucket- > } s3-website-eu-west-1.amazonaws.com.
www.mydomain.com CNAME mydomain.com
-> website on Amazon S3
*.mydomain.com CNAME {beanstalk} -> myserver-app.elasticbeanstalk.com
-> all other subdomains redirect to the Amazon Beanstalk app
*.mydomain.com MX ->
10 XXYY.in1.mandrillapp.com.
20 XXYY.in2.mandrillapp.com.
-> all emails goes to mandrillapp.
How is possible to do it?
As it's written it doesn't work because of CNAME vs. MX wildcards.
I can't use all names because subdomains will be generated dynamically.
Thank you a lot!!
David
As you have found, you can't have a CNAME and any other type of record at the same level of the DNS hierarchy. Route 53 Alias records, which you're using for your bare domain and for www were created to work around this limitation in the design of DNS, and don't have the same incompatibility issue... but the target of an Alias record can only be one of four things, at the moment: a CloudFront distribution, an Elastic Load Balancer, an S3 bucket of the same name as the hostname in the A record, or another record of the same type in the same hosted zone.
The last two won't help you, but either of the first two could.
If your beanstalk application already has an ELB, you can find that name under Load Balancers in the EC2 console, and you should be able to just use that as your Alias target for the * wildcard A-record Alias for your domain. Or, you could add a load balancer to your beanstalk app, for this purpose.
Alternately, you can create a CloudFront distribution, and configure myapp.elasticbeanstalk.com as the "custom origin" server for the distribition. Configure what CloudFront calls an "alternate domain name (CNAME)" in the distribution for *.example.com -- and, incidentally, disregard the fact that the CloudFront console calls it a "CNAME." They can also be used as Alias targets. Configure the distribution to forward the incoming Host: header to the origin, as well as any other headers you want to forward. Then, you should be able to create your wildcard Alias A record, pointing to the CloudFront distribution, which will forward requests to the beanstalk app.
The problem you're having is an issue with the rules of DNS, which forbid a CNAME record where another record exists.
If a CNAME RR is present at a node, no other data should be
present; this ensures that the data for a canonical name and its aliases
cannot be different. This rule also insures that a cached CNAME can be
used without checking with an authoritative server for other RR types.
Is there are particular reason that you want to have a wildcard MX record? I can't see any situation where it provides a benefit, yet many where it would be a very bad idea! (particularly it makes any host on the network a viable target to send spam from, as any host on that can resolve to the domain has permission to send.
If you explicitly name your MX records you can have a CNAME wildcard (actually I might need to check that! but I do believe so)