Configuring DNS in AWS
Introduction
The Domain Name System (DNS) is necessary for routing traffic across the internet. It accomplishes this task by converting easily remembered domain names (example.com) into the IP addresses required for the underlying network. DNS was designed as a distributed system to allow for fault tolerance and stability.
This article will cover the basics of DNS in AWS and a few of its advantages, as well as briefly touching on some of the more advanced features that are offered by Amazon. Finally, we will discuss how AWS secures network traffic once it reaches your Virtual Private Cloud (VPC) and how it is monitored.
AWS Solutions Architect
What is Route 53?
Route 53 is Amazon Web Service’s (AWS) DNS service. It was named this because the common port for DNS is port 53. Amazon designed Route 53 to be highly reliable and scalable as well as cost-effective.
Route 53 allows users to create public and private zones. Public-hosted zones determine how internet traffic is routed. A private-hosted zone, on the other hand, shows how traffic is routed within your Amazon VPC (within your private AWS environment).
All common DNS entries can be created within Route 53 (A, CNAME, MX, TXT, etc.). Additionally, it can be used as the authoritative name server, including the Start of Authority entry (SOA), or you can point your on-premise or third-party DNS using name server entries (NS).
Advantages of Route 53
Route 53 offers plenty of advantages over using a standard domain registrar’s DNS. These advantages only grow greater when used with other AWS services such as CloudFront, Application Load Balancers and S3.
When creating a standard DNS entry, there are generally two options for routing your URL: an IP address or an alias (another URL). Most DNS services require your root DNS entry to be a record, which must be pointed to an IP address.
Subdomains (such as www.example.com) may be pointed to a CNAME, which may be an IP address or an alias. Route 53 does not have this limitation and allows root DNS entries to be pointed at an alias record. This allows you to take advantage of services such as content distribution networks or web application firewalls with your root domain.
Route 53 is also automatically linked to your other AWS services allowing you to easily create DNS entries linking to your S3 storage buckets, EC2 instances or CloudFront.
Finally, Route 53 offers several advanced DNS features not offered in many other DNS services.
These advanced features include allowing for health checks to determine if your resources are healthy and available, advanced traffic flow policies such as geoproximity routing to ensure that your users are connecting to the closest available resource and failover routing, ensuring that your web application remains fault tolerant and highly available.
Configuring ACLs and NACLs
Once traffic has reached your VPC, Amazon has several methods of ensuring that users can only access what they should. One such method is through an Access Control List (ACL) or Network Access Control List (NACL); the names are synonymous within AWS. An ACL allows you to allow or deny traffic from within or outside of your VPC. This is accomplished through rules allowing or blocking specific protocols, ports or IP ranges.
When you initially set up a new VPC, a default ACL is created allowing all inbound and outbound traffic to the VPC. If you wish, you may create a custom ACL for each subnet within your VPC; however, doing so will replace the default ACL created by AWS, as each subnet may only have a single ACL associated with it. Furthermore, a custom ACL will deny all inbound and outbound traffic to the subnet unless explicit rules are added to allow the traffic.
A final reminder, ACLs are stateless. What this means in practice is even though an inbound rule may allow specific traffic into your subnet, two-way communication will be denied unless a corresponding outbound rule is created allowing traffic out.
Flow logs
In order to monitor IP traffic into and out of your VPC, Amazon allows for configuration of VPC flow logs. Flow logs may be published to CloudWatch, allowing for triggering of alerts, or S3 for storage or usage by other applications.
Flow logs collect quite a bit of information on the traffic entering and leaving your VPC. Some of the default information collected are the source IP address, the destination IP address, source and destination port, protocol and the network interface the traffic occurred over.
This information can be extremely useful when attempting to diagnose issues with network ACLs or security groups as well as monitoring the traffic reaching your instances for unusual activity.
Conclusion
Amazon offers many powerful tools for directing and controlling IP traffic within and outside of your VPC. The speed and simplicity of Route 53 for controlling your DNS becomes more powerful when paired with other AWS services, allowing for granular control and monitoring of traffic to and from your web application or site. All of this together makes AWS very compelling for hosting your DNS.
AWS Solutions Architect