consolidating dns with amazon toute 53 - pop-up loft tel aviv
TRANSCRIPT
Consolidating DNS with Amazon Route 53
Steve SeymourSpecialist Solutions Architect
Agenda
• Why should I do this? Why is now the right time?• Cost• Simplicity• Single view• API management
• Basic DNS use cases• Advanced private DNS
example.com
Third-party monitoring
System monitoring
Internal DNS
Public DNSRoute 53 public zones
Route 53 private zones
Route 53 health checks
example.com
Basic DNS use cases
Bulk transfer domains
1. Export DNS to Route 532. Delegate to Route 533. Transfer domains to Route 53
Order matters for availability!
Export DNS
Highly dependent on your existing DNS provider. Two examples:
• GoDaddy• “DNS Zone File” tab with an “Export (UNIX)” format
• BIND• Typically in /var/named/chroot/var/named
• Use cli53 to import• https://github.com/barnybug/cli53
Export DNS
# assuming we have files in the format [domain].zone, we can do this:
#!/bin/sh
for zonefile in *.zone; do
domain=$(basename "$zonefile" .zone)
cli53 create ${domain} --comment 'bulk'
cli53 import ${domain} --file ${zonefile}
done
Delegate to Route 53
• This step is registrar dependent.• Namecheap example:
• https://api.namecheap.com/xml.response?ApiUser=<example>&ApiKey=<key>&UserName=<user>&Command=namecheap.domains.dns.setCustom&ClientIp=192.168.1.109&SLD=domain&TLD=com&NameServers= ns-425.awsdns-53.com,ns-793.awsdns-35.net,ns-1049.awsdns-03.org,ns-1692.awsdns-19.co.uk
Delegate to Route 53
• Check that you’re actually delegated (dig +trace)$ dig +trace awsarchitectureblog.com…. 505108 IN NS k.root-servers.net.…com. 172800 IN NS…awsarchitectureblog.com. 172800 IN NS ns-425.awsdns-53.com.awsarchitectureblog.com.172800 IN NS ns-793.awsdns-35.net.awsarchitectureblog.com. 172800 IN NS ns-1049.awsdns-03.org.awsarchitectureblog.com. 172800 IN NS ns-1692.awsdns-19.co.uk.
• Wait for TTLs to expire
Transfer domains
• Also registrar dependent, but you will want to unlock your domains and obtain authorization codes.
• Namecheap example:• Unlock:
https://api.namecheap.com/xml.response?ApiUser=<example>&ApiKey=<key>&UserName=<user>&Command=namecheap.domains.setRegistrarLock&ClientIp=192.168.1.109&DomainName=example.com&LockAction=unlock
• Obtain authorization codes (depends on the registrar; GoDaddy has a bulk download option)
Transfer domains
#/usr/bin/ruby
require 'csv'
require 'aws-sdk-core'
route53domains = Aws::Route53Domains::Client.new(region: 'us-east-1')
CSV.foreach("authcodes.csv") do |row|
route53domains.transfer_domain(...
end
Third-party monitoring
System monitoring
Internal DNS
Route 53 public zones
example.com
Take advantage of AWS integration
• ALIAS• Health checks and DNS failover
• Calculated health checks• Latency measurements
Internal DNS
Route 53 public zones
Route 53 health checks
example.com
Set up private DNS
$ cli53 import example.integ --file example.integ.zone
Route 53 public zones
Route 53 private zones
Route 53 health checks
example.com
Advanced private DNS
Using in-VPC resolver
• What we can’t do with the gateway+2 (e.g. 10.0.0.2)• Private DNS combines the resolver and authority – this
means you can’t treat it as an authoritative server• Delegation back via NS records doesn’t work
On-premises to cloud
Resolver
Route 53 Authority
+2 Resolver
Q
1
2
34
5
6
On-premises to cloud
Resolver
Route 53 Authority
+2 Resolver
Q
1
2
45
7
8
Forwarder
3
6
Setup unbound as the forwarder
$ sudo apt-get install unbound
/etc/unbound/unbound.conf:
server:
...
interface: 0.0.0.0
interface: ::0
access-control: 0.0.0.0/0 allow
...
$ sudo unbound-control reload
Setup unbound as the forwarder
forward-zone:
name: "."
forward-addr: 10.0.0.2
AWS Directory Service as the forwarder
• Fully managed on your behalf• If you want to utilize Active Directory in your VPC, you
also get to take advantage of that as well
Set up Active Directory
Set up Active Directory
Example
$ cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search ad.cloud.zen
nameserver 10.0.1.114
nameserver 10.0.2.135
Example
Example
$ dig TXT example.cloud.zen
;; QUESTION SECTION:
;example.cloud.zen. IN TXT
;; ANSWER SECTION:
example.cloud.zen. 60 IN TXT "hello world"
;; Query time: 4 msec
;; SERVER: 10.0.1.114#53(10.0.1.114)
Active Directory and Route 53 Private DNS
• Manage all non-AD names in Private DNS (because it will fall through)
• API endpoint in Route 53• Zones can cross regions with private DNS
Resolver
Route 53 Authority
+2 Resolver
Q
1
2
45
7
8
Forwarder
3
6
BIND configuration
options {
...
forwarders { 10.0.1.114; 10.0.2.135; };
forward only; # depending on your configuration
};
zone ”cloud.zen" {
type forward;
forwarders { 10.0.1.114; 10.0.2.135; };
};
Unbound configuration
forward-zone:
name: "."
forward-addr: 10.0.1.114forward-addr: 10.0.2.135
forward-zone:
name: ”cloud.zen"
forward-addr: 10.0.1.114
forward-addr: 10.0.0.135
Flatten your zones instead of subdelegating
Resolver
cloud.zen
+2 Resolver
Q
Forwarder
sub.cloud.zen
Flatten your zones instead of subdelegating
Resolver
cloud.zen
+2 Resolver
Q
Forwarder
sub.cloud.zen
On-premises contains data not in private DNS
• Loop the query through on-premises• Copy the data into private DNS• Setup conditional forwarding in Active Directory
Queries from on-premises will see the data
Resolver
Route 53 Authority
+2 Resolver
Q
1
2
45
7
8
Forwarder
3
6
Loop the query through on-premises for VPC
Resolver
Route 53 Authority
+2 Resolver
Q
1
2
45
7
8
Forwarder
3
6
Copy the data into private DNS
https://code.google.com/p/route53d/• or cli53 or [hostedzone]## Enumerate the zone IDs for each hosted zone, e.g.:# [hostedzone]# foo.com = Z123# baz.org = Z456
Copy the data into private DNS
Resolver
Route 53 Authority
+2 Resolver
Q
1 23
Forwarder
4
Summary
• Consolidating your DNS infrastructure in the cloud is easy and simplifies management
• There are a number of ways to combine private DNS with an on-premises or existing DNS solution
• We’re aware of the limitations of the gateway+2 and are working toward resolving those limitations
Useful posts – blogs.aws.amazon.com/security
… with Simple ADamzn.to/1XJQ4Ht
... with Microsoft ADamzn.to/1p7o8C8
Steve SeymourSpecialist Solutions [email protected]
@sseymour