Monday, 12 March 2018

AWS Route 53

Overview
  • DNS service
  • Domain registrar
    • Privacy protection available
  • DNS query logging

Hosted Zone
  • Counterpart of DNS zone file
  • Collection of DNS records
    • all have domain name as suffix (e.g. ".example.com")

Route53::RecordSet
  • AliasTarget
    • ALIAS resource record sets only
    • Do not specify TTL
  • Failover
    • PRIMARY
    • SECONDARY
    • AWS uses healthcheck to determine health
    • Must specify SetIdentifier
  • GeoLocation
  • HealthcheckId
    • RRSet returned only when healthy
  • Name
    • Fully Qualified Domain Name
  • Resource Records
    • Must match Type
    • Plural - hence "set"
      • 182.1.2.3.4, 182.1.2.3.5
  • SetIdentifier
    • Unique identifier to differentiate between RecordSets with the same (Name,Type) pair
  • Type
    • A | AAAA | CNAME | MX | NS | PTR | SOA | SPF | SRV | TXT | CAA
  • Weight
    • Among all RRSET with same (Name,Type) portion of traffic to route to this one

Alias Records
  • Route53 specific
  • DNS Record Types
    • A
    • AAAA
  • Can point to
    • ELB
    • ElasticBeanstalk environment
    • CloudFront
    • S3 bucket (static website hosting)
  • Cannot set TTL (60 seconds enforced)
  • Free (Intra-AWS-DNS-Queries)
  • Compared to CNAME
    • AWS does not charge for Alias requests
    • Can create alias for zone apex (e.g. "example.org")
    • Alias can point to limited number of resources 
    • "Alias" not visible in the DNS answer
      • You just get A records
    • Alias cannot point outside of Route53
    • Not followed by resolvers (they don't see it - just the final IP addresses)

Domains
  • TLD
    • generic (gTLD): .com, .net, .org
      • new: .casino, .academy
    • country-level (ccTLD) .de, .fr
  • NS migration
    • Route53: Create zone
    • Route53: setup all RR
    • Registrar (e.g. godaddy.com): setup NS (4) to point to Route53
  • Transfer
    • Initiate on the target (e.g. Route53)
    • Domain must be unlocked
    • Disable private protection
    • Obtain valid authorization code (authcode) from current registrar
  • Reselling by company "Gandi"

Name Servers
  • Each hosted zone is automatically assigned 4 name servers ("delegation set)
    •  They belong to different stripes for availability
  • "Reusable delegation set" same set assigned to multiple hosted zones
    • Possible to whitelabel (e.g. ns.itsolutions.com)

TTL
  • Any value supported (including 0)
  • Recommended minimum 10 seconds
  • Low TTL = more queries
    • higher cost
    • good for failover
  • Alias has fixed TTL 60s (cannot be changed)



Private Hosted Zone
  • Associated with VPC 
    • Possibly multiple VPCs in different regions
  • Use cases
    • Split horizon DNS 
    • block domains from within VPC (e.g. specify facebook.com A 127.0.0.1)

Misc
  • WIldcard records (*.example.com) supported
  • DNSSEC
    • Supported for domain registration
    • Not supported for DNS service
  • "Change propagation" (60 seconds)
    • API returns INSYNC when completed
    • DNS caching (chain) is separate topic
  • Changes to any single server are transactional
  • Multiple hosted zones can be associated with the same domain
    • Each hosted zone get its own set of name servers
    • ANSWER is different based on which set you query
  • Cannot associate SOA or NS records
  • DNS "Additional Section" - other information relevant to the query (but not part of ANSWER)
  • Limits
    • UDP - 512 bytes
      • if EDNS0 supported by resolver UDP - 4096
  • DNS switches to TCP when response exceeds UDP max size

Autonaming API
  • Simplifies registering microservices with DNS
  • Use case
    • Modifying records on scale out/in

References
at

No comments:

Post a Comment