Consolidating DNS with Amazon Toute 53 - Pop-up Loft Tel Aviv
•
0 gostou•1,077 visualizações
In this session, we show you how to use Amazon Route 53 to consolidate your DNS data and manage it centrally. Learn how to use Amazon Route 53 for public DNS and for private DNS in VPC, and also learn how to combine Amazon Route 53 private DNS with your own DNS infrastructure.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (20)
Semelhante a Consolidating DNS with Amazon Toute 53 - Pop-up Loft Tel Aviv
Semelhante a Consolidating DNS with Amazon Toute 53 - Pop-up Loft Tel Aviv (20)
Mais de Amazon Web Services
Mais de Amazon Web Services (20)
Último
Último (20)
Consolidating DNS with Amazon Toute 53 - Pop-up Loft Tel Aviv
- 1. Consolidating DNS with Amazon Route 53 Steve Seymour Specialist Solutions Architect
- 2. Agenda • Why should I do this? Why is now the right time? • Cost • Simplicity • Single view • API management • Basic DNS use cases • Advanced private DNS
- 3. example.com Third-party monitoring System monitoring Internal DNS Public DNS Route 53 public zones Route 53 private zones Route 53 health checks example.com
- 4. Basic DNS use cases
- 5. Bulk transfer domains 1. Export DNS to Route 53 2. Delegate to Route 53 3. Transfer domains to Route 53 Order matters for availability!
- 6. Export DNS Highly dependent on your existing DNS provider. Two examples: • GoDaddy • “DNS Zone File” tab with an “Export (UNIX)” format • BIND • Typically in /var/named/chroot/var/named • Use cli53 to import • https://github.com/barnybug/cli53
- 7. Export DNS # assuming we have files in the format [domain].zone, we can do this: #!/bin/sh for zonefile in *.zone; do domain=$(basename "$zonefile" .zone) cli53 create ${domain} --comment 'bulk' cli53 import ${domain} --file ${zonefile} done
- 8. Delegate to Route 53 • This step is registrar dependent. • Namecheap example: • https://api.namecheap.com/xml.response? ApiUser=<example>& ApiKey=<key>& UserName=<user>& Command=namecheap.domains.dns.setCustom& ClientIp=192.168.1.109& SLD=domain& TLD=com& NameServers= ns-425.awsdns-53.com,ns-793.awsdns- 35.net,ns-1049.awsdns-03.org,ns-1692.awsdns-19.co.uk
- 9. Delegate to Route 53 • Check that you’re actually delegated (dig +trace) $ dig +trace awsarchitectureblog.com … . 505108 IN NS k.root-servers.net. … com. 172800 IN NS … awsarchitectureblog.com. 172800 IN NS ns-425.awsdns-53.com. awsarchitectureblog.com.172800 IN NS ns-793.awsdns-35.net. awsarchitectureblog.com. 172800 IN NS ns-1049.awsdns-03.org. awsarchitectureblog.com. 172800 IN NS ns-1692.awsdns-19.co.uk. • Wait for TTLs to expire
- 10. Transfer domains • Also registrar dependent,but you will want to unlock your domains and obtain authorization codes. • Namecheap example: • Unlock: https://api.namecheap.com/xml.response? ApiUser=<example>& ApiKey=<key>& UserName=<user>& Command=namecheap.domains.setRegistrarLock& ClientIp=192.168.1.109& DomainName=example.com& LockAction=unlock • Obtain authorization codes (depends on the registrar; GoDaddy has a bulk download option)
- 11. Transfer domains #/usr/bin/ruby require 'csv' require 'aws-sdk-core' route53domains = Aws::Route53Domains::Client.new(region: 'us-east-1') CSV.foreach("authcodes.csv") do |row| route53domains.transfer_domain(... end
- 12. Third-party monitoring System monitoring Internal DNS Route 53 public zones example.com
- 13. Take advantage of AWS integration • ALIAS • Health checks and DNS failover • Calculated health checks • Latency measurements
- 14. Internal DNS Route 53 public zones Route 53 health checks example.com
- 15. Set up private DNS $ cli53 import example.integ --file example.integ.zone
- 16. Route 53 public zones Route 53 private zones Route 53 health checks example.com
- 18. Using in-VPC resolver • What we can’t do with the gateway+2 (e.g. 10.0.0.2) • Private DNS combines the resolver and authority – this means you can’t treat it as an authoritative server • Delegation back via NS records doesn’t work
- 19. On-premises to cloud Resolver Route 53 Authority +2 Resolver Q 1 2 34 5 6
- 20. On-premises to cloud Resolver Route 53 Authority +2 Resolver Q 1 2 45 7 8 Forwarder 3 6
- 21. Setup unbound as the forwarder $ sudo apt-get install unbound /etc/unbound/unbound.conf: server: ... interface: 0.0.0.0 interface: ::0 access-control: 0.0.0.0/0 allow ... $ sudo unbound-control reload
- 22. Setup unbound as the forwarder forward-zone: name: "." forward-addr: 10.0.0.2
- 23. AWS Directory Service as the forwarder • Fully managed on your behalf • If you want to utilize Active Directory in your VPC, you also get to take advantage of that as well
- 24. Set up Active Directory
- 25. Set up Active Directory
- 26. Example $ cat /etc/resolv.conf ; generated by /sbin/dhclient-script search ad.cloud.zen nameserver 10.0.1.114 nameserver 10.0.2.135
- 27. Example
- 28. Example $ dig TXT example.cloud.zen ;; QUESTION SECTION: ;example.cloud.zen. IN TXT ;; ANSWER SECTION: example.cloud.zen. 60 IN TXT "hello world" ;; Query time: 4 msec ;; SERVER: 10.0.1.114#53(10.0.1.114)
- 29. Active Directory and Route 53 Private DNS • Manage all non-AD names in Private DNS (because it will fall through) • API endpoint in Route 53 • Zones can cross regions with private DNS
- 31. BIND configuration options { ... forwarders { 10.0.1.114; 10.0.2.135; }; forward only; # depending on your configuration }; zone ”cloud.zen" { type forward; forwarders { 10.0.1.114; 10.0.2.135; }; };
- 32. Unbound configuration forward-zone: name: "." forward-addr: 10.0.1.114 forward-addr: 10.0.2.135 forward-zone: name: ”cloud.zen" forward-addr: 10.0.1.114 forward-addr: 10.0.0.135
- 33. Flatten your zones instead of subdelegating Resolver cloud.zen +2 Resolver Q Forwarder sub.cloud.zen
- 34. Flatten your zones instead of subdelegating Resolver cloud.zen +2 Resolver Q Forwarder sub.cloud.zen
- 35. On-premises contains data not in private DNS • Loop the query through on-premises • Copy the data into private DNS • Setup conditional forwarding in Active Directory
- 36. Queries from on-premises will see the data Resolver Route 53 Authority +2 Resolver Q 1 2 45 7 8 Forwarder 3 6
- 37. Loop the query through on-premises for VPC Resolver Route 53 Authority +2 Resolver Q 1 2 45 7 8 Forwarder 3 6
- 38. Copy the data into private DNS https://code.google.com/p/route53d/ • or cli53 or [hostedzone] # # Enumerate the zone IDs for each hosted zone, e.g.: # [hostedzone] # foo.com = Z123 # baz.org = Z456
- 39. Copy the data into private DNS Resolver Route 53 Authority +2 Resolver Q 1 23 Forwarder 4
- 40. Summary • Consolidating your DNS infrastructure in the cloud is easy and simplifies management • There are a number of ways to combine private DNS with an on-premises or existing DNS solution • We’re aware of the limitations of the gateway+2 and are working toward resolving those limitations
- 41. Useful posts – blogs.aws.amazon.com/security … with Simple AD amzn.to/1XJQ4Ht ... with Microsoft AD amzn.to/1p7o8C8
- 42. Steve Seymour Specialist Solutions Architect seymours@amazon.co.uk @sseymour