I would like to monitor all outgoing DNS queries originating from resources within my VPC. For example, i would like to log all DNS queries originating from a specific EC2 instance. Is this possible?
I have looked into Route53 (early beginner to AWS), and from what i understand - using this i can only monitor my private domains, for incoming queries. Is it possible to monitor outgoing queries?
As far as I know, AWS doesn't have this as a feature right now. One solution that I've worked with before is having dnsmasq (a lightweight DNS cache/proxy) installed on every instance, configuring the machine to forward requests to dnsmasq first, and then consolidating your machines' dnsmasq logs in one place.
Currently there isn't any way.
.2 VPC DNS server queries don't log into VPC flow logs so you can't see there anything.
From AWS annoucement on 27th of August, 2020
https://aws.amazon.com/blogs/aws/log-your-vpc-dns-queries-with-route-53-resolver-query-logs/
"The Amazon Route 53 team has just launched a new feature called Route 53 Resolver Query Logs, which will let you log all DNS queries made by resources within your Amazon Virtual Private Cloud (VPC). Whether it’s an Amazon Elastic Compute Cloud (Amazon EC2) instance, an AWS Lambda function, or a container, if it lives in your Virtual Private Cloud and makes a DNS query, then this feature will log it; you are then able to explore and better understand how your applications are operating."
Therefore, if you use AmazonProvidedDNS (Amazon Route 53 Resolver) for DNS, then now you can use above option. The log contains a "srcaddr" field to find the source (e.g. EC2) of DNS lookup.
Related
I created a Loadbalancer with a network endpoint group to allow Cloud Armor policies to be applied to one of my Cloud Run services. I needed that for whitelisting IPs.
So now I have the IP given by the LoadBalancer I want it to be mapped to a domain I aquired.
The problem is that I have no idea what the A Records for this IP are called or used?
How can I figure this out? I know when using Cloud Run I can choose the Managed Custom Domain section - however this only helps me to map Cloud Run services to domains and not a custom LoadBalancer IP.
Then you should use the front end IP address of your LB as your A record from your DNS. If you are managing and hosting your DNS records for your domain via GCP, you can refer to this documentation on how to add a record.
To verify that your A record has been updated, you may use this tool. Normally it takes up to 48 to 72 hours before the changes to propagate.
I'm not sure if this is the right place to ask this. If it's not, kindly refer me to the most appropriate place.
I need to have customized domain names for my clients but only one instance of the web app. Is this possible? How do you I go about this?
The answer may simply be yes. But it's not up to AWS, but rather the DNS for the domains you plan to use. All the application running on the AWS IP address has to do is not reject the domain names given to the web server stack in its configuration.
You can create as many domain names as you like to point to a single IP address using AWS route 53 hosted zones. You can create multiple A record in route 53 or you can utilise alias records.
Amazon Route 53 is a highly available and scalable cloud Domain Name
System (DNS) web service. It is designed to give developers and
businesses an extremely reliable and cost effective way to route end
users to Internet applications by translating names like
www.example.com into the numeric IP addresses like 192.0.2.1 that
computers use to connect to each other. Amazon Route 53 is fully
compliant with IPv6 as well.
Amazon Route 53 effectively connects user requests to infrastructure
running in AWS – such as Amazon EC2 instances, Elastic Load Balancing
load balancers, or Amazon S3 buckets – and can also be used to route
users to infrastructure outside of AWS. You can use Amazon Route 53 to
configure DNS health checks to route traffic to healthy endpoints or
to independently monitor the health of your application and its
endpoints. Amazon Route 53 Traffic Flow makes it easy for you to
manage traffic globally through a variety of routing types, including
Latency Based Routing, Geo DNS, Geoproximity, and Weighted Round
Robin—all of which can be combined with DNS Failover in order to
enable a variety of low-latency, fault-tolerant architectures. Using
Amazon Route 53 Traffic Flow’s simple visual editor, you can easily
manage how your end-users are routed to your application’s
endpoints—whether in a single AWS region or distributed around the
globe. Amazon Route 53 also offers Domain Name Registration – you can
purchase and manage domain names such as example.com and Amazon Route
53 will automatically configure DNS settings for your domains.
I have successfully built a VPN connection between gcp and aws using the following guide(https://cloud.google.com/solutions/automated-network-deployment-multicloud).
I can currently ping the resources on the other cloud providers based on the private IP. However, I would like to use the dns resolution that resolves to private IP of the AWS resource DNS names. Can someone please help me with this?. Using DNS server policy may not be the best of options for me as it points to alternative name server only and not the gcp’s internal name servers anymore. So how can I use forwarding zones in gcp for DNS names such as database-test.c34fdgt1ascxz.us-west-1.rds.amazonaws.com so that it resolves to private IP. The above example is for database which I have not made public. Has someone done this already? Or does anyone have any idea on how to go about this. Any help is much appreciated, thank you so much.
It is possible.
If your goal is to configure outbound forwarding to AWS, then you should remove this policy you just need a Cloud DNS managed zone to accomplish this.
The DNS queries that are forwarded from GCP to AWS will come from the 35.199.192.0/19 address block.
The 35.199.192.0/19 traffic can be routed over a dynamic VPN tunnel dynamic (BGP), so you would just need to modify your AWS VPN gateway or router by adding a route that to reach 35.199.192.0/19.
It looks like a public address block, but Google uses this block only for forwarding, and does not announce it on the public Internet.
And finally, AWS needs to be configured so that responses to DNS queries from 35.199.192.0/19 are routed back to GCP using the VPN tunnel configured between AWS and GCP.
In other words, this traffic needs to go through the VPN tunnel.
To debug it you can use stackdriver logging and also by checking network captures on both endpoints.
Check this documentation guides: Creating Forward zones1 and DNS forwarding2.
You can't resolve AWS private IP addresses by submitting the AWS public endpoint to GCP's DNS. That just wont work.
AWS uses a service called Route53 resolver that will forward requests that can't be resolved internally to an external DNS server that you specify. We use this in our env's to resolve on-prem corp IP's that are not part of Route53. I have not tried this, but it's possible you can use that to point to GCP DNS.
I have worked with several godaddy domains in the past. But, for the new project infrastructure I wish to setup, I am planning on registering domain names from the new Amazon's Route 53 - Domain Registration.
My question is do I also need to pay for their DNS Service?
In the past I used to configure hosted zones (CNAME records) from the GoDaddy Console, but never payed anything extra.
How will relying on Amazon effect me in terms of cost and maintenance?
Update: Alright, looks like Amazon doesn't charge for DNS queries routed to their own internal services. Refer here: Route 53 Docs - DNS Service
If somebody is using Amazon Route 53 - Domain Name and their DNS, please let me know if/how you got charged for using their DNS Service.
From the documentation, notice the final step listed in registering a domain, when you want to use an external DNS hosting provider:
(Optional) Delete the hosted zone that Amazon Route 53 created automatically when you registered your domain. This prevents you from being charged for a hosted zone that you aren't using. (emphasis added)
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-register.html
Regarding other providers' pricing practices:
In the past I used to configure hosted zones (CNAME records) from the GoDaddy Console, but never payed anything extra.
That's fine, but you're looking at this situation upside-down. The two services -- domain registration and DNS hosting -- are separate services, but GoDaddy and many other registrars don't give you an option not to pay for DNS hosting, even if you don't use it -- it's built into their domain registration pricing. AWS tends to unbundle service components so that you only pay for the components you use.
If you are hosting services in AWS, using S3, CloudFront, or Elastic Load Balancer, you will find that Route 53's DNS hosting is the preferable option, because of the way resource records work at the apex of a domain due to the design of DNS itself. Route 53 is integrated with the other services to allow failover and redundant DNS configuration in a way that can't be accomplished with most external DNS providers.
Yes, you can use third party DNS service with domains registered in Route53 (you just have to add appropriate Name Servers)
About the pricing, it is all explained in detail here. Keep in mind that although queries to Alias records that are mapped to Elastic Load Balancers, Amazon CloudFront distributions, AWS Elastic Beanstalk environments, and Amazon S3 website buckets are free, that does bot apply to other AWS resources, including Amazon EC2 instances and Amazon RDS databases.
Also you will be charged fixed monthly amount for each hosted zone.
Ok, so our setup is as follows:
We have a VPC with some instances in them. For most of the traffic, we want to go back to our existing physical hosting centre and from there to the internet, with our nat'ed public ip. Since we are dependent on this ip to be whitelisted.
The remaining traffic needs to go through the local IGW, because it is high volume. Some of this is going to specific ips, so we have added those to the routing tables. The rest is going to other Amazon webservices, like Kinesis and DynamoDB. These services all have multiple ips associated with them and can change at the discretion of Amazon. This means that just resolving the dns locally and then adding it to the routing table won't work. At least not in a robust manner.
So is there any nice way of doing this?
You can use services endpoints and route through it.