In this session, we show you how to use Amazon Route 53 to consolidate your DNS data and manage it centrally. Learn how to use Amazon Route 53 for public DNS and for private DNS in VPC, and also learn how to combine Amazon Route 53 private DNS with your own DNS infrastructure.
2. Agenda
• Why should I do this? Why is now the right time?
• Cost
• Simplicity
• Single view
• API management
• Basic DNS use cases
• Advanced private DNS
5. Bulk transfer domains
1. Export DNS to Route 53
2. Delegate to Route 53
3. Transfer domains to Route 53
Order matters for availability!
6. Export DNS
Highly dependent on your existing DNS provider.
Two examples:
• GoDaddy
• “DNS Zone File” tab with an “Export (UNIX)” format
• BIND
• Typically in /var/named/chroot/var/named
• Use cli53 to import
• https://github.com/barnybug/cli53
7. Export DNS
# assuming we have files in the format
[domain].zone, we can do this:
#!/bin/sh
for zonefile in *.zone; do
domain=$(basename "$zonefile" .zone)
cli53 create ${domain} --comment 'bulk'
cli53 import ${domain} --file ${zonefile}
done
8. Delegate to Route 53
• This step is registrar dependent.
• Namecheap example:
• https://api.namecheap.com/xml.response?
ApiUser=<example>&
ApiKey=<key>&
UserName=<user>&
Command=namecheap.domains.dns.setCustom&
ClientIp=192.168.1.109&
SLD=domain&
TLD=com&
NameServers= ns-425.awsdns-53.com,ns-793.awsdns-
35.net,ns-1049.awsdns-03.org,ns-1692.awsdns-19.co.uk
9. Delegate to Route 53
• Check that you’re actually delegated (dig +trace)
$ dig +trace awsarchitectureblog.com
…
. 505108 IN NS k.root-servers.net.
…
com. 172800 IN NS
…
awsarchitectureblog.com. 172800 IN NS ns-425.awsdns-53.com.
awsarchitectureblog.com.172800 IN NS ns-793.awsdns-35.net.
awsarchitectureblog.com. 172800 IN NS ns-1049.awsdns-03.org.
awsarchitectureblog.com. 172800 IN NS ns-1692.awsdns-19.co.uk.
• Wait for TTLs to expire
10. Transfer domains
• Also registrar dependent, but you will want to unlock your domains and
obtain authorization codes.
• Namecheap example:
• Unlock:
https://api.namecheap.com/xml.response?
ApiUser=<example>&
ApiKey=<key>&
UserName=<user>&
Command=namecheap.domains.setRegistrarLock&
ClientIp=192.168.1.109&
DomainName=example.com&
LockAction=unlock
• Obtain authorization codes (depends on the registrar; GoDaddy has a
bulk download option)
11. Transfer domains
#/usr/bin/ruby
require 'csv'
require 'aws-sdk-core'
route53domains =
Aws::Route53Domains::Client.new(region: 'us-east-1')
CSV.foreach("authcodes.csv") do |row|
route53domains.transfer_domain(...
end
18. Using in-VPC resolver
• What we can’t do with the gateway+2 (e.g. 10.0.0.2)
• Private DNS combines the resolver and authority – this
means you can’t treat it as an authoritative server
• Delegation back via NS records doesn’t work
22. Setup unbound as the forwarder
forward-zone:
name: "."
forward-addr: 10.0.0.2
23. AWS Directory Service as the forwarder
• Fully managed on your behalf
• If you want to utilize Active Directory in your VPC, you
also get to take advantage of that as well
28. Example
$ dig TXT example.cloud.zen
;; QUESTION SECTION:
;example.cloud.zen. IN TXT
;; ANSWER SECTION:
example.cloud.zen. 60 IN TXT "hello world"
;; Query time: 4 msec
;; SERVER: 10.0.1.114#53(10.0.1.114)
29. Active Directory and Route 53 Private DNS
• Manage all non-AD names in Private DNS (because it
will fall through)
• API endpoint in Route 53
• Zones can cross regions with private DNS
33. Flatten your zones instead of subdelegating
Resolver
cloud.zen
+2 Resolver
Q
Forwarder
sub.cloud.zen
34. Flatten your zones instead of subdelegating
Resolver
cloud.zen
+2 Resolver
Q
Forwarder
sub.cloud.zen
35. On-premises contains data not in private DNS
• Loop the query through on-premises
• Copy the data into private DNS
• Setup conditional forwarding in Active Directory
36. Queries from on-premises will see the data
Resolver
Route 53
Authority
+2 Resolver
Q
1
2
45
7
8
Forwarder
3
6
37. Loop the query through on-premises for VPC
Resolver
Route 53
Authority
+2 Resolver
Q
1
2
45
7
8
Forwarder
3
6
38. Copy the data into private DNS
https://code.google.com/p/route53d/
• or cli53 or
[hostedzone]
#
# Enumerate the zone IDs for each hosted zone, e.g.:
# [hostedzone]
# foo.com = Z123
# baz.org = Z456
39. Copy the data into private DNS
Resolver
Route 53
Authority
+2 Resolver
Q
1
23
Forwarder
4
40. Summary
• Consolidating your DNS infrastructure in the cloud is
easy and simplifies management
• There are a number of ways to combine private DNS
with an on-premises or existing DNS solution
• We’re aware of the limitations of the gateway+2 and are
working toward resolving those limitations