Amazon Route 53

Amazon Route53 is a cloud-based Domain Name System (DNS) web service provided by Amazon Web Services (AWS). It offers highly scalable and reliable DNS services that help businesses and developers manage their domain names and route internet traffic to the appropriate resources. Route53 provides features such as domain registration, DNS management, traffic routing, and health checking, all designed to ensure the availability and performance of your website or application. Whether you are running a small blog or a large-scale enterprise application, Amazon Route53 offers a comprehensive suite of DNS management tools to meet your needs.

This blog will help you in understanding key point about Amazon Route53 and other components. We also have reference links for some topics to aws documentation page.

• Highly available and scalable Domain Name System (DNS) web service
• A Domain Registrar
• Health check for your resources

Important DNS record types supported by Route 53

• A record — maps a hostname to IPv4
• AAAA record — maps a hostname to IPv6
• CNAME record — maps DNS queries for the name of the current record, such as acme.example.com, to another domain
• MX record — specifies the names of your mail servers
• NS record — identifies the name servers for the hosted zone

Hosted Zones

• Private hosted zones — contain records that specify how you want to route traffic in an Amazon VPC
• Public hosted zones — contain records that specify how you want to route traffic on the internet.

TTL

• Time for which DNS resolver caches a response is set by a value
• Amazon Route 53 does not have a default TTL for any record type

CNAME vs Alias Record

• CNAME
  1. Can redirect DNS queries to any DNS record
  2. This cannot be created to point to a ROOT DOMAIN
  3. No health checks available
  4. Priced on CNAME queries
  5. Response of dig or nslookup query is always CNAME record
  6. Can set a TTL
• Alias
  1. Can only redirect queries to selected AWS resources like CloudFront, ALB etc
  2. This can be created to point to a ROOT DOMAIN and NON ROOT DOMAIN
  3. Health checks are available
  4. Free of cost
  5. Response of dig or nslookup query is always of type A or AAAA record
  6. Can’t set a TTL

Types of Route 53 Routing Policies

• Simple — Use for a single resource that performs a given function for your domain
• IP based — Use when you want to route traffic based on the location of your users, and have the IP addresses that the traffic originates from.
• Weighted — Use to route traffic to multiple resources in proportions that you specify.
• Multivalue answer — Use when you want Route 53 to respond to DNS queries with up to eight healthy records selected at random
• Failover — Use when you want to configure active-passive failover
• Latency based — Use when you have resources in multiple AWS Regions and you want to route traffic to the region that provides the best latency.
• Geolocation — Use when you want to route traffic based on the location of your users
• Geoproximity — Use when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another.

Types of Route 53 Health Checks

• Health checks that monitor an endpoint
• Health checks that monitor other health checks (calculated health checks)
• Health checks that monitor CloudWatch alarms

Making Route 53 the DNS service for a domain that’s in use

• Get your current DNS configuration from the current DNS service provider
• Create a public hosted zone
• Create all the record in the newly created hosted zone
• Lower the TTL settings of NS record to 15 mins
• (If you have DNSSEC configured) Remove the DS record from the parent zone (Optional)
• Wait for the old TTL to expire (Optional Depends on DS record removal)
• Update the NS records to use the new Route 53 name servers
• Monitor traffic for the domain
• Change the TTL for the NS record back to a higher value (2 days)
• Transfer domain registration to Amazon Route 53
• Re-enable DNSSEC signing

DNSSEC

• A protocol for securing DNS traffic, verifies DNS data integrity and origin which works only with public hosted zone
• Route53 supports both DNSSEC for Domain Registration and Signing
• When enabled, Route 53 enforces a TTL of one week for all records in the Hosted Zone (records that have TTL less than one week are not affected)

How to enable DNSSEC on a Route53 hosted zone

• Step 1 — Prepare for DNSSEC signing
  1. Monitor zone availibility (through customer feedback)
  2. Lower TTL for records (recommended 1 hour)
  3. Lower SOA minimum for 5 minutes
• Step 2 — Enable DNSSEC signing and create a KSK
  1. Enable DNSSEC in Route 53 for your hosted zone (Console or CLI)
  2. Make Route 53 create a KSK in the console and link it to a Customer managed CMK
• Step 3 — Establish chain of trust
  1. Create a chain of trust between the hosted zone and the parent hosted zone
  2. By creating a Delegation Signer (DS) record in the parent zone
  3. It contains a hash of the public key used to sign DNS records
  4. Your registrar can be Route 53 or a 3rd party registrar
• Step 4 — (good to have) Monitor for errors using CloudWatch Alarms
  1. Create CloudWatch alarms for DNSSECInternalFailure and DNSSECKevSigningKeysNeedingAction

Route53 Resolver

• Responds recursively to DNS queries from AWS resources for public records, Amazon VPC-specific DNS names, and Amazon Route 53 private hosted zones.
• Inbound Resolver endpoints allow DNS queries to your VPC from your on-premises network or another VPC.
• Outbound Resolver endpoints allow DNS queries from your VPC to your on-premises network or another VPC.
• Resolver rules enable you to create one forwarding rule for each domain name and specify the name of the domain for which you want to forward DNS queries from your VPC to an on-premises DNS resolver and from your on-premises to your VPC
• Rules are applied directly to your VPC and can be shared across multiple accounts.

• Inbound Resolver

• Outbound Resolver

• Conditional forwarding rules — You create conditional forwarding rules (also known as forwarding rules) when you want to forward DNS queries for specified domain names to DNS resolvers on your network.
• System rules — Cause Resolver to selectively override the behaviour that is defined in a forwarding rule. When you create a system rule, Resolver resolves DNS queries for specified subdomains that would otherwise be resolved by DNS resolvers on your network. For example, if you create a forwarding rule for example.com but you don’t want to forward queries for acme.example.com, you create a system rule and specify acme.example.com for the domain name.
• Auto-defined rules — Resolver automatically creates autodefined rules and associates the rules with your VPCs.
• Resolver Rules can be shared across accounts using AWS RAM

Route 53 Resolver DNS Firewall

• Can filter and regulate outbound DNS traffic for your virtual private cloud (VPC).
• Primary use of DNS Firewall protections is to help prevent DNS exfiltration of your data.
• There are two DNS firewall behaviour for a VPC
  1. Fail open — Resolver allows queries through if its doesn’t receive a reply from DNS Firewall
  2. Fail closed (default) — means the resolver blocks any queries for which it doesn’t receive a reply from DNS Firewall and sends a SERVFAIL DNS response.

Route 53 — Split-View DNS (Split-Horizon)

• In split-view DNS, you use the same domain name (example.com) for internal uses (accounting.example.com) and external uses, such as your public website (www.example.com). You might also want to use the same subdomain name internally and externally, but serve different content or require different authentication for internal and external users.

Solution for DNS management in multi-account environment with Route 53 Resolver