(net308) consolidating dns data in the cloud with amazon route 53
TRANSCRIPT
![Page 1: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lee Zen, AWS Edge Services
October 2015
NET308
Consolidating DNS Data in the Cloud with Amazon Route 53
![Page 2: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/2.jpg)
Agenda
• Why should I do this? Why is now the right time?
• Cost
• Simplicity
• Single view
• API management
• Basic DNS use cases
• Advanced private DNS
![Page 3: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/3.jpg)
example.com
Third-party monitoring
System monitoring
Internal DNS
Public DNS
Route 53 public zones
Route 53 private zones
Route 53 health checks
example.com
![Page 4: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/4.jpg)
Basic DNS use cases
![Page 5: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/5.jpg)
Bulk transfer domains
1. Export DNS to Route 53
2. Delegate to Route 53
3. Transfer domains to Route 53
Order matters for availability!
![Page 6: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/6.jpg)
Export DNS
Highly dependent on your existing DNS provider.
Two examples:
• GoDaddy
• “DNS Zone File” tab with an “Export (UNIX)” format
• BIND
• Typically in /var/named/chroot/var/named
• Use cli53 to import
• https://github.com/barnybug/cli53
![Page 7: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/7.jpg)
Export DNS
# assuming we have files in the format [domain].zone, we can do this:
#!/bin/sh
for zonefile in *.zone; do
domain=$(basename "$zonefile" .zone)
cli53 create ${domain} --comment 'bulk'
cli53 import ${domain} --file ${zonefile}
done
![Page 8: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/8.jpg)
Delegate to Route 53
• This step is registrar dependent.
• Namecheap example:
• https://api.namecheap.com/xml.response?ApiUser=<example>&ApiKey=<key>&UserName=<user>&Command=namecheap.domains.dns.setCustom&ClientIp=192.168.1.109&SLD=domain&TLD=com&NameServers= ns-425.awsdns-53.com,ns-793.awsdns-35.net,ns-1049.awsdns-03.org,ns-1692.awsdns-19.co.uk
![Page 9: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/9.jpg)
Delegate to Route 53
• Check that you’re actually delegated (dig +trace)$ dig +trace awsarchitectureblog.com
…
. 505108 IN NS k.root-servers.net.
…
com. 172800 IN NS
…
awsarchitectureblog.com. 172800 IN NS ns-425.awsdns-53.com.
awsarchitectureblog.com.172800 IN NS ns-793.awsdns-35.net.
awsarchitectureblog.com. 172800 IN NS ns-1049.awsdns-03.org.
awsarchitectureblog.com. 172800 IN NS ns-1692.awsdns-19.co.uk.
• Wait for TTLs to expire
![Page 10: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/10.jpg)
Transfer domains
• Also registrar dependent, but you will want to unlock your domains and obtain authorization codes.
• Namecheap example:• Unlock:
https://api.namecheap.com/xml.response?ApiUser=<example>&ApiKey=<key>&UserName=<user>&Command=namecheap.domains.setRegistrarLock&ClientIp=192.168.1.109&DomainName=example.com&LockAction=unlock
• Obtain authorization codes (depends on the registrar; GoDaddy has a bulk download option)
![Page 11: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/11.jpg)
Transfer domains
#/usr/bin/ruby
require 'csv'
require 'aws-sdk-core'
route53domains = Aws::Route53Domains::Client.new(region: 'us-east-1')
CSV.foreach("authcodes.csv") do |row|
route53domains.transfer_domain(...
end
![Page 12: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/12.jpg)
Third-party monitoring
System monitoring
Internal DNS
Route 53 public zones
example.com
![Page 13: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/13.jpg)
Take advantage of AWS integration
• ALIAS
• Health checks and DNS failover
• Calculated health checks
• Latency measurements
![Page 14: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/14.jpg)
Internal DNS
Route 53 public zones
Route 53 health checks
example.com
![Page 15: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/15.jpg)
Set up private DNS
$ cli53 import example.integ --file example.integ.zone
![Page 16: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/16.jpg)
Route 53 public zones
Route 53 private zones
Route 53 health checks
example.com
![Page 17: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/17.jpg)
Advanced private DNS
![Page 18: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/18.jpg)
Using in-VPC resolver
• What we can’t do with the gateway+2 (e.g. 10.0.0.2)
• Private DNS combines the resolver and authority – this
means you can’t treat it as an authoritative server
• Delegation back via NS records doesn’t work
![Page 19: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/19.jpg)
On-premises to cloud
Resolver
Route 53
Authority
+2 Resolver
Q
1
2
34
5
6
![Page 20: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/20.jpg)
On-premises to cloud
Resolver
Route 53
Authority
+2 Resolver
Q
1
2
45
7
8
Forwarder
3
6
![Page 21: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/21.jpg)
Setup unbound as the forwarder
$ sudo apt-get install unbound
/etc/unbound/unbound.conf:
server:
...
interface: 0.0.0.0
interface: ::0
access-control: 0.0.0.0/0 allow
...
$ sudo unbound-control reload
![Page 22: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/22.jpg)
Setup unbound as the forwarder
forward-zone:
name: "."
forward-addr: 10.0.0.2
![Page 23: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/23.jpg)
AWS Directory Service as the forwarder
• Fully managed on your behalf
• If you want to utilize Active Directory in your VPC, you
also get to take advantage of that as well
![Page 24: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/24.jpg)
Set up Active Directory
![Page 25: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/25.jpg)
Set up Active Directory
![Page 26: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/26.jpg)
Example
$ cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search ad.cloud.zen
nameserver 10.0.1.114
nameserver 10.0.2.135
![Page 27: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/27.jpg)
Example
![Page 28: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/28.jpg)
Example
$ dig TXT example.cloud.zen
;; QUESTION SECTION:
;example.cloud.zen. IN TXT
;; ANSWER SECTION:
example.cloud.zen. 60 IN TXT "hello world"
;; Query time: 4 msec
;; SERVER: 10.0.1.114#53(10.0.1.114)
![Page 29: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/29.jpg)
Active Directory and Route 53 Private DNS
• Manage all non-AD names in Private DNS (because it
will fall through)
• API endpoint in Route 53
• Zones can cross regions with private DNS
![Page 30: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/30.jpg)
Resolver
Route 53
Authority
+2 Resolver
Q
1
2
45
7
8
Forwarder
3
6
![Page 31: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/31.jpg)
BIND configuration
options {
...
forwarders { 10.0.1.114; 10.0.2.135; };
forward only; # depending on your configuration
};
zone ”cloud.zen" {
type forward;
forwarders { 10.0.1.114; 10.0.2.135; };
};
![Page 32: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/32.jpg)
Unbound configuration
forward-zone:
name: "."
forward-addr: 10.0.1.114forward-addr: 10.0.2.135
forward-zone:
name: ”cloud.zen"
forward-addr: 10.0.1.114
forward-addr: 10.0.0.135
![Page 33: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/33.jpg)
Flatten your zones instead of subdelegating
Resolver
cloud.zen
+2 Resolver
Q
Forwarder
sub.cloud.zen
![Page 34: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/34.jpg)
Flatten your zones instead of subdelegating
Resolver
cloud.zen
+2 Resolver
Q
Forwarder
sub.cloud.zen
![Page 35: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/35.jpg)
On-premises contains data not in private DNS
• Loop the query through on-premises
• Copy the data into private DNS
• Setup conditional forwarding in Active Directory
![Page 36: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/36.jpg)
Queries from on-premises will see the data
Resolver
Route 53
Authority
+2 Resolver
Q
1
2
45
7
8
Forwarder
3
6
![Page 37: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/37.jpg)
Loop the query through on-premises for VPC
Resolver
Route 53
Authority
+2 Resolver
Q
1
2
45
7
8
Forwarder
3
6
![Page 38: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/38.jpg)
Copy the data into private DNS
https://code.google.com/p/route53d/
• or cli53 or
[hostedzone]
#
# Enumerate the zone IDs for each hosted zone, e.g.:
# [hostedzone]
# foo.com = Z123
# baz.org = Z456
![Page 39: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/39.jpg)
Copy the data into private DNS
Resolver
Route 53
Authority
+2 Resolver
Q
123
Forwarder
4
![Page 40: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/40.jpg)
Summary
• Consolidating your DNS infrastructure in the cloud is
easy and simplifies management
• There are a number of ways to combine private DNS
with an on-premises or existing DNS solution
• We’re aware of the limitations of the gateway+2 and are
working toward resolving those limitations
![Page 41: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/41.jpg)
Remember to complete
your evaluations!
![Page 42: (NET308) Consolidating DNS Data in the Cloud with Amazon Route 53](https://reader034.vdocuments.us/reader034/viewer/2022042706/5879ca021a28abb42a8b6f65/html5/thumbnails/42.jpg)
Thank you!