AWS Route53 sandbox
DNS works on port 53, hence the name route 53
In a VPC, AWS reserves the network range +2 address for DNS server.
What are R53 resolvers?
Inbound endpoint
For queries from on-prem systems to resolve AWS hosted domains.
Outbound endpoint
For queries from AWS workloads for on-prem systems.
You can specify rule for directing queries from inbound/outbound EP.
Limit - 10,000 queries per second per IP Address for an EP. For higher performance, use DNS configured on an EC2. With EC2 based DNS, VPC perring is required.
- DNS-VPC primary Amazon DNS server (IP - VPC CIDR +2)
- Resolver Endpoints (EP) - Inbound, Outbound
- R53 Resolver EP rules
awscloud.private
on inbound resolver EP, forwards queries for this domain to the DNS-VPC primary Amazon DNS server.onprem.private
on outbound resolver EP, forwards queries for this domain to the on-prem DNS server.
- R53 Resolver > Rules are shared to all the Org accounts using [[AWS Resource Access Manager]].
- Unique private hosted zone in each account, using a sub-domain of
aws.private
. Each zone should be associated with the shared rule from step 4. - On-prem DNS server with conditional forwarders to forward AWS domain queries to the Inbound Resolver EP of AWS DNS-VPC.
No VPC peering is necessary in this setup!
WARNING If using Private Link or EFS, make sure to have rules in a way the these service endpoints are able to resolve locally in the same account, and are not forwarded to the central DNS server. #todo expand on this with example
To associate a VPC with a hosted zone created in a different account, use AWS CLI, not possible via console.
Delegating responsibility for a subdomain You cannot create NS records in a private hosted zone to delegate responsibility for a subdomain. #question
Routing Policies
Simple
Failover - for active-passive setups to failover to healthy resources
Geolocation - based on location of users
Geoproximity - based on location of resources
Latency - region specific records
IP-based
Multivalue answer - upto 8, random healthy records
Weighted - similar effect is also possible by using weighted rules for load balancer listners - use different target groups for different weights. In fact the ALB approach is preferred if there is a need to maintain session stickiness as well.
Records
an alias record cannot point to a record in a domain in another hosted zone.
dns failover active-active https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-types.html#dns-failover-types-active-active