consolidating dns with amazon toute 53 - pop-up loft tel aviv

Consolidating DNS with Amazon Route 53

Steve SeymourSpecialist Solutions Architect

Agenda

• Why should I do this? Why is now the right time?• Cost• Simplicity• Single view• API management

• Basic DNS use cases• Advanced private DNS

example.com

Third-party monitoring

System monitoring

Internal DNS

Public DNSRoute 53 public zones

Route 53 private zones

Route 53 health checks

example.com

Basic DNS use cases

Bulk transfer domains

1. Export DNS to Route 532. Delegate to Route 533. Transfer domains to Route 53

Order matters for availability!

Export DNS

Highly dependent on your existing DNS provider. Two examples:

• GoDaddy• “DNS Zone File” tab with an “Export (UNIX)” format

• BIND• Typically in /var/named/chroot/var/named

• Use cli53 to import• https://github.com/barnybug/cli53

Export DNS

# assuming we have files in the format [domain].zone, we can do this:

#!/bin/sh

for zonefile in *.zone; do

domain=$(basename "$zonefile" .zone)

cli53 create ${domain} --comment 'bulk'

cli53 import ${domain} --file ${zonefile}

done

Delegate to Route 53

• This step is registrar dependent.• Namecheap example:

• https://api.namecheap.com/xml.response?ApiUser=<example>&ApiKey=<key>&UserName=<user>&Command=namecheap.domains.dns.setCustom&ClientIp=192.168.1.109&SLD=domain&TLD=com&NameServers= ns-425.awsdns-53.com,ns-793.awsdns-35.net,ns-1049.awsdns-03.org,ns-1692.awsdns-19.co.uk

Delegate to Route 53

• Check that you’re actually delegated (dig +trace)$ dig +trace awsarchitectureblog.com…. 505108 IN NS k.root-servers.net.…com. 172800 IN NS…awsarchitectureblog.com. 172800 IN NS ns-425.awsdns-53.com.awsarchitectureblog.com.172800 IN NS ns-793.awsdns-35.net.awsarchitectureblog.com. 172800 IN NS ns-1049.awsdns-03.org.awsarchitectureblog.com. 172800 IN NS ns-1692.awsdns-19.co.uk.

• Wait for TTLs to expire

Transfer domains

• Also registrar dependent, but you will want to unlock your domains and obtain authorization codes.

• Namecheap example:• Unlock:

https://api.namecheap.com/xml.response?ApiUser=<example>&ApiKey=<key>&UserName=<user>&Command=namecheap.domains.setRegistrarLock&ClientIp=192.168.1.109&DomainName=example.com&LockAction=unlock

• Obtain authorization codes (depends on the registrar; GoDaddy has a bulk download option)

Transfer domains

#/usr/bin/ruby

require 'csv'

require 'aws-sdk-core'

route53domains = Aws::Route53Domains::Client.new(region: 'us-east-1')

CSV.foreach("authcodes.csv") do |row|

route53domains.transfer_domain(...

end

Third-party monitoring

System monitoring

Internal DNS

Route 53 public zones

example.com

Take advantage of AWS integration

• ALIAS• Health checks and DNS failover

• Calculated health checks• Latency measurements

Internal DNS

Route 53 public zones

Route 53 health checks

example.com

Set up private DNS

$ cli53 import example.integ --file example.integ.zone

Route 53 public zones

Route 53 private zones

Route 53 health checks

example.com

Advanced private DNS

Using in-VPC resolver

• What we can’t do with the gateway+2 (e.g. 10.0.0.2)• Private DNS combines the resolver and authority – this

means you can’t treat it as an authoritative server• Delegation back via NS records doesn’t work

On-premises to cloud

Resolver

Route 53 Authority

+2 Resolver

Q

1

2

34

5

6

On-premises to cloud

Resolver

Route 53 Authority

+2 Resolver

Q

1

2

45

7

8

Forwarder

3

6

Setup unbound as the forwarder

$ sudo apt-get install unbound

/etc/unbound/unbound.conf:

server:

...

interface: 0.0.0.0

interface: ::0

access-control: 0.0.0.0/0 allow

...

$ sudo unbound-control reload

Setup unbound as the forwarder

forward-zone:

name: "."

forward-addr: 10.0.0.2

AWS Directory Service as the forwarder

• Fully managed on your behalf• If you want to utilize Active Directory in your VPC, you

also get to take advantage of that as well

Set up Active Directory

Set up Active Directory

Example

$ cat /etc/resolv.conf

; generated by /sbin/dhclient-script

search ad.cloud.zen

nameserver 10.0.1.114

nameserver 10.0.2.135

Example

Example

$ dig TXT example.cloud.zen

;; QUESTION SECTION:

;example.cloud.zen. IN TXT

;; ANSWER SECTION:

example.cloud.zen. 60 IN TXT "hello world"

;; Query time: 4 msec

;; SERVER: 10.0.1.114#53(10.0.1.114)

Active Directory and Route 53 Private DNS

• Manage all non-AD names in Private DNS (because it will fall through)

• API endpoint in Route 53• Zones can cross regions with private DNS

Resolver

Route 53 Authority

+2 Resolver

Q

1

2

45

7

8

Forwarder

3

6

BIND configuration

options {

...

forwarders { 10.0.1.114; 10.0.2.135; };

forward only; # depending on your configuration

};

zone ”cloud.zen" {

type forward;

forwarders { 10.0.1.114; 10.0.2.135; };

};

Unbound configuration

forward-zone:

name: "."

forward-addr: 10.0.1.114forward-addr: 10.0.2.135

forward-zone:

name: ”cloud.zen"

forward-addr: 10.0.1.114

forward-addr: 10.0.0.135

Flatten your zones instead of subdelegating

Resolver

cloud.zen

+2 Resolver

Q

Forwarder

sub.cloud.zen

Flatten your zones instead of subdelegating

Resolver

cloud.zen

+2 Resolver

Q

Forwarder

sub.cloud.zen

On-premises contains data not in private DNS

• Loop the query through on-premises• Copy the data into private DNS• Setup conditional forwarding in Active Directory

Queries from on-premises will see the data

Resolver

Route 53 Authority

+2 Resolver

Q

1

2

45

7

8

Forwarder

3

6

Loop the query through on-premises for VPC

Resolver

Route 53 Authority

+2 Resolver

Q

1

2

45

7

8

Forwarder

3

6

Copy the data into private DNS

https://code.google.com/p/route53d/• or cli53 or [hostedzone]## Enumerate the zone IDs for each hosted zone, e.g.:# [hostedzone]# foo.com = Z123# baz.org = Z456

Copy the data into private DNS

Resolver

Route 53 Authority

+2 Resolver

Q

1 23

Forwarder

4

Summary

• Consolidating your DNS infrastructure in the cloud is easy and simplifies management

• There are a number of ways to combine private DNS with an on-premises or existing DNS solution

• We’re aware of the limitations of the gateway+2 and are working toward resolving those limitations

Useful posts – blogs.aws.amazon.com/security

… with Simple ADamzn.to/1XJQ4Ht

... with Microsoft ADamzn.to/1p7o8C8

Steve SeymourSpecialist Solutions Architectseymours@amazon.co.uk

@sseymour