Route53

Introduction

• A regional, managed DNS services for:

  • Domain Registration

  • DNS Routing

  • Health Checking

• Not useful in resolving on-premise dependency

Feature

• Routing policies

  • Simple

    • Maps a hostname to a single resouce

    • Can't attach health checks

    • If multiple values are returned, a random one is chosen by client.

  • Weighted

    • Control the % of the requests that go to specific endpoint.

    • Helpful to test 1% of traffic on new app version for example

    • Helpful to split traffic between two regions

    • Can be associated with health checks

    • Note: The weight don't need to sum up to 100.

  • Latency

    • Redirect to the server that has the least latency close to users

    • Helpful when latency of users is a priority

    • Latency is evaluated in terms of user to designated AWS region

    • Has a failover capability if you enable health checks

  • Failover

    • Monitoring endpoint by sending health check

  • Geolocation

    • Based on user location

    • Should create a default policy in case not matched

• Route53 only supports DNSSEC for domain registration. However, it doesn't support DNSSEC for DNS service. You must either:

  • Use another DNS service provider

  • Run a custom EC2 with DNS Server (ex: Bind, dnsmasq, KnotDNS, PowerDNS)

• Complex Routing example

  • Can use latency-based to route traffic to correct region, then use weighted records to route to instances based on weights that you specify.

• Health Checks and configuring failover

  • Monitor endpoint (application, server, other AWS resource)

  • Monitor other health checks (calculated health checks)

  • Monitor CloudWatch alarms. Ex. throttling DynamoDB, alarms on RDS, other custom metrics.

  • Health checks can be setup based on:

    • HTTP status code

    • Text in the first 5120 bytes of the response

    • Calculated health checks

      • Create separate individual health checks

      • Specify how many of the health checks need to pass to make the parent pass

  • Health Checks for Private Hosted Zones

    • Health Checks are in AWS Cloud, cannot check your resources in private Subnet. Options:

      • Create a CloudWatch Metric and alarm, then create a health check for the alarm.

      • Assign a public IP to the resource

      • Check dependent external resource instead. Ex. DB server.

• Multi Value Routing Policy (Query)

  • Used when routing traffic to multiple resouces

  • Can associate a Route53 health checks with records

  • Up to 8 healthy records are returned to clients for each query and let clients to choose which resource to access

  • Multi Value is not a substitute for having an ELB.

• Public DNS query logging

  • Can configure a CloudWatch Logs log group in the US East Region only.

Reference

• DNS Record types:

  • SOA

    • Start of Authority, contains important management information about the zone, especially regarding the zone transfer

  • A

    • hostname to IPv4

  • AAAA

    • hostname to IPv6

  • CNAME

    • hostname to hostname

      • used for: RDS

    • Canonical name record, An alias of one name to another

    • Being chrage when doing query in Route53

    • Cannot set as Zone apex (Ex: A Zone Apex domain "example.com" can have multiple sub-domains like "www.example.com", "mail.example.com", etc.)

  • ALIAS

    • hostname to AWS resource

      • Used for: ELB, CloudFront, S3, Elastic Beanstalk, API Gateway

      • Can set as Zone apex

    • Not being charged when doing query in Route53

  • NS

    • Delegate a subdomain to a set of name servers

  • MX record

    • Specifies a mail server responsible for accepting email messages on behalf of a recipient's domain

• TTL (time to live): The time for which a DNS resolver caches a response

• How to avoid Man in the Middle Attack:

  • Use HTTPS always

  • Use a DNS that has DNSSEC (asymmetric encryption to verify DNS data), can be:

    • Use another DNS service provider

    • Run a custom EC2 with DNS Server (ex: Bind, dnsmasq, KnotDNS, PowerDNS)

• Sharing Hosted Zone

  • A container for records, and records contain information about how you want to route traffic for a specific domain, and its subdomains.

  • Working with public host zones (on Internet)

  • Working with private host zones (within VPC(s), not for on-premise.)

    • Enable the VPC setting: enableDnsHostNames, enableDnsSupport.

    • Create an A or AAAA record for resources (even to a database)

    • Associate a Route 53 private hosted zone with a VPC on a different AWS account.

      • Establish VPC Peering (between central account VPC and other accounts' VPC)

      • Programmatically (CLI) create the association between the private hosted zone to other VPC.

• Transferring registration for a Domain to Route 53

  • Scenario: direct traffic according to geolocation

    • Create a public hosted zone for the domain in Route 53.

    • Update the DNS entries in the registrars database to use AWS DNS Servers as defined in the NS record on Route 53.

    • Create A-type records for all EC2 instances. Configure CNAME records for the main FQDN (A fully qualified domain name) that point to regional A records using a Geolocation routing policy. Create another CNAME record as a default route.