Multi-domain DNS configuration with Route53

amazon ec2amazon-route53amazon-web-servicesdomain-name-system

I am configuring a few domain names in Route53 and am looking for some advice on best practices for setting things up. Here is the scenario:

Let's say domain1.com is my master corporate domain, and I also have domain2.com and domain3.com.

Suppose I have two Amazon EC2 instances defined as a web and database server, with elastic IPs of 11.11.11.11 and 22.22.22.22 respectively, and I want to address them externally as:

 prod-web01.domain1.com
 prod-db01.domain1.com

Let's further suppose that the website for domain1.com is hosted on one of the above instances, which means that I must set an A record for domain1.com (right?) to the elastic IP of the web instance. So I create record sets in Route53 like:

 domain1.com.                A         11.11.11.11
 prod-web01.domain1.com.     A         11.11.11.11
 prod-db02.domain1.com.      A         22.22.22.22
 www.domain1.com.            CNAME     prod-web01.domain1.com

Now, both domain2.com and domain3.com are also hosted on that web01 instance above, so I create record sets for them like:

 domain2.com.                A         11.11.11.11
 www.domain2.com.            CNAME     prod-web01.domain1.com.

and

 domain3.com.                A         11.11.11.11
 www.domain3.com.            CNAME     prod-web01.domain1.com.

This all works just fine, but it is not as elegant as I was hoping for. I am wondering if there is some way to set up this type of configuration in which there are fewer records pointing to direct IP addresses.

My understanding is that I can't use a CNAME record for the root of a domain (right?), so is there some other way to set things so that I only have one "hard" reference to each IP in my DNS infrastructure?

If not, does this seem like a smart setup? Or a dumb one? Feel free to tell me I'm dumb. 🙂

Best Answer

First things first, if you only have two instances (one web and one DB), you're doing it wrong. You should be setting up an elastic load balancer with a minimum of two application server instances behind it. Instances can (and do) fail from time-to-time. And you really should be using RDS for your persistent data store.

My understanding is that I can't use a CNAME record for the root of a domain (right?)

You can, but it will frequently break stuff (esp email) in unexpected ways and shouldn't be done. This how I would do things:

 domain1.com.                A         11.11.11.11
 prod-web01.domain1.com.     A         11.11.11.11
 prod-db02.domain1.com.      A         22.22.22.22
 www.domain1.com.            CNAME     prod-web01.domain1.com

 domain2.com.                A         11.11.11.11
 www.domain2.com.            CNAME     domain2.com.

 domain3.com.                A         11.11.11.11
 www.domain3.com.            CNAME     domain3.com.

Related Solutions

Whitelabel DNS with Amazon Route53

I have done this, please read my article before you actually do this here:

http://neonos.net/white-labeled-dns-name-servers-on-amazon-route-53-with-delegation-sets/

The functionality has been programmed by Amazon in Nov 2014, however it has not been implemented in the web based console, hopefully they will do this soon. There is also no documentation or any articles that I could find on this topic. But I was able to do this by using AWS CLI Client, as follows:

Create your delegation set using the CLI client:

aws route53 create-reusable-delegation-set  --caller-reference MyDelegationSet

This will return something such as:

{
    "Location": "https://route53.amazonaws.com/2015-01-01/delegationset/xxx",
    "DelegationSet": {
        "NameServers": [
            "ns-xxx.awsdns-xx.com",
            "ns-xxx.awsdns-xx.co.uk",
            "ns-xxx.awsdns-xx.org",
            "ns-xxx.awsdns-xx.net"
        ],
        "CallerReference": "MyDelegationSet",
        "Id": "/delegationset/XXXXXXXXXX"
    }
}

Once you have created the reusable delegation set, you will need to create the hosted zone using the CLI client which will allow you to associate the new zone with the delegation set created above.

aws route53  create-hosted-zone --delegation-set-id /delegationset/XXXXXXXX --name mydomain.tld --caller-reference UNIQUEREFERENCEID

Using the list of name servers found in the output, ping each server to obtain the IP address. Use the IP addresses to create the glue records in the parent zone (using A records). I recommend shorter TTLs in case Amazon informs of IP changes to dns zones. I called mine route531.mydomain.com, route532... etc.

Now update your domain nameservers at the registrar, then update your Route53 to include those nameservers as Authoritative nameservers as well.

More Info:

Amazon claims that this can be done to white label these nameservers without any further reference.

"This feature also makes it possible for you to create “white label” name server addresses such as ns1.example.com, ns2.example.com, etc., which you can point to your Route 53 name servers. You can then use your "white label" name server addresses as the authoritative name servers for as many of your domain names as desired." --SeanM@AWS

https://forums.aws.amazon.com/ann.jspa?annID=2733

The problem is that Amazon also says that they can not guarantee the IP's of the nameservers not changing.

https://forums.aws.amazon.com/thread.jspa?messageID=474708

"We do promise that the DNS names of your Route 53 nameservers will not change, but we can't make the same guarantee about their IP addresses. If they were to change in the future, your DNS could silently break if you used them in this unsupported way." -- DavidR@AWS Jan 25, 2011

Before you freak out this might help you feel better:

Some registrars only allow you to specify name servers using IP addresses; they don't allow you to specify fully qualified domain names. If your registrar requires using IP addresses, you can get the IP addresses for your name servers using the dig utility (for Mac, Unix, or Linux) or the nslookup utility (for Windows). We rarely change the IP addresses of name servers; if we need to change IP addresses, we'll notify you in advance. http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/SOA-NSrecords.html

Keep in mind it is a bad idea to create CNAME records with your own domain for each of the nameservers, even though this in theory would solve the change of IP issue it is a bad idea:

NS records pointing to a CNAME is bad and may conflict badly with current BIND servers. In fact, current BIND implementations will ignore such records, possibly leading to a lame delegation. There is a certain amount of security checking done in BIND to prevent spoofing DNS NS records. Also, older BIND servers reportedly will get caught in an infinite query loop trying to figure out the address for the aliased nameserver, causing a continuous stream of DNS requests to be sent. --RFC1912

http://www.faqs.org/rfcs/rfc1912.html

Best Answer

Related Solutions

Whitelabel DNS with Amazon Route53

Related Topic