5.6 KiB
Route 53
AWS DNS service offering.
- TL;DR
- Split-view DNS
- Hosted zones have overlapping namespaces
- Delegate responsibility for subdomains
- Further readings
TL;DR
Amazon-provided DNS servers for a VPC use the IP address at the base of that VPC network range plus 2.
E.g., if the CIDR range for a VPC is 10.0.0.0/16, the IP address of the DNS server is 10.0.0.2.
E.g., if the CIDR range for a VPC is 172.31.0.0/16, the IP address of the DNS server is 172.31.0.2.
Usage
# List hosted zones.
aws route53 list-hosted-zones
Split-view DNS
A.K.A split-horizon DNS.
Allows resolving the same domain name to both private and public records.
The resolver will serve the private record when the request comes from inside an associated VPC, and the public
one for requests coming from outside of them.
Procedure:
-
Enable DNS resolution and DNS hostnames for any VPC involved.
-
Create both public and private hosted zones with the same namespaces (e.g.,
example.org).
Split-view DNS are supposed to still work when using an external DNS service for the public hosted zone. -
Associate one or more involved VPCs with the private hosted zone.
Route 53's Resolver will use the private hosted zone to resolve DNS queries originating from those VPCs. -
Create records in each hosted zone.
Records in the private hosted zone will resolve requests that originate from inside the associated VPCs.
Records in the public hosted zone will resolve requests that originate from outside the associated VPCs. -
Use Route 53's Resolver to perform name resolution of both the associated VPC and on-premises workloads.
Queries for DNS records that do not exist in the private hosted zone will not be forwarded to the public one
using the same namespace.
As such, queries for public DNS record (those that do not have a private record for
the same name) coming from inside VPCs associated to the private hosted zone will not be able to resolve, and
will give back NXDOMAIN errors instead.
Resolve public DNS records from VPCs associated with private hosted zones by replicating all those public records in
the private hosted zone, along with private records.
Any query coming from a public DNS record will be resolved from the private hosted zone using the same namespace.
Hosted zones have overlapping namespaces
When hosted zones (private or public) have overlapping namespaces, e.g. example.org and accounting.example.org,
VPC Resolver checks the one that has the most specific match, and will ignore the rest.
If any VPC Resolver rule exists for the same namespace of a hosted zone, rules will take precedence.
Example: resolution from an EC2 instance
Consider an EC2 instance in a VPC associated with a private hosted zone.
VPC Resolver handles DNS queries from that instance as follows:
-
VPC Resolver evaluates whether the name of the private hosted zone matches the domain name in the request.
A match is defined as one of the following (either-or):- The requested domain name is an identical match.
- The namespace of the private hosted zone is a parent of the domain name in the request.
E.g.,vancouver.accounting.example.orgwould matchaccounting.example.organdexample.org.
-
If no private hosted zone matches, VPC Resolver forwards the request to a public DNS resolver and the request is treated as a regular DNS query.
-
If a private hosted zone name matches the domain name in the request, that hosted zone is searched for a record matching the request's domain name and DNS type, e.g. an
Arecord foraccounting.example.org.Important
If the private hosted zone does match, but contains no record matching the request's domain name and type, VPC Resolver will not forward the request to a public DNS resolver.
Instead, it will return aNXDOMAIN(non-existent domain) error to the client.
Delegate responsibility for subdomains
Create NS records in a private hosted zone to delegate responsibility for a subdomain.
Refer Resolver delegation rules tutorial.