Route53 Flashcards
Steps after you register a domain name
- Name servers are assigned
- TLD updates the key value pair with your domain, domain.com -> name server list
- DNS resolvers propagate info in 2
- When queries are made for your domain, DNS returns the name server list
- Name servers contain all the information about your domain, like the ip for your domain. DNS itself is not the place to store ip information, its name server
What happens when you create a private dns in VPC A? What is the resolvability of it in VPC A vs VPC B?
Private Hosted Zones allow you to create a private DNS that only resolves within a the VPC that you created it in only. Use case for this is to allow services to talk to each other without specifying IP.
What is the role of route53 in dns resolving?
If you created Route53 hosted zone, then route53 will be the NS server that TLDs will resolve into.
How is DNSSEC done in route53? Not the steps on the UI, but conceptually how does DNSSEC work in route53?
Route53 creates a Delegation Signer (DS) record and a hash of the DNS records (RRSIG). DS record gets sent to the TLD for this domain, and RRSIG is stored in the DNS NS. When a DNS query comes, the RRSIG and DNS records are returned to the TLD, then the TLD verifies the RRSIG with the DS record. If verified, send back to requester. This process prevents DNS spoofing.
Gateway endpoint vs interface endpoint
Gateway
- For s3 and dynamodb from a private subnet
- Same region access only
- HA by default
- Secure access is done by changing the route tables in the subnet to talk to the gateway endpoint. No application layer changes required.
Interface
- For s3 and other public aws services
- Not HA by default
- Implemented using Aws Private Link. Service interfaces injected into your vpc
- Used for providing secure access to services by communicating over private link.
- Secure access is provided by using another dns name that will resolve to the interface endpoint
How to implement hybrid DNS? Example, an on premise DNS and an AWS private DNS.. how to talk to each other without going through public internet?
A DX or VPN connection in between on premise and aws. For on premise to AWS, on AWS side, send traffic to inbound endpoints that resolve DNS queries at R53 resolver. Similarly, for aws to on premise, send traffic R53 resolver and if the DNS points to the on premise then send to outbound endpoints which will use the established connection.
How is IPV6 dealt with in AWS?
The common pattern is to still use an IGW for IPV4. IPV6 can go through the same IGW but if you want to limit outside ability to talk to IPV6 instance, then use an Egress only IGW for the IPV6 traffic
Main use case of Private DNS
For VPC interface endpoint to resolve public AWS DNS queries (s3.amazonaws.com) into private VPC ips
Is gateway or interface endpoint more resilient by default?
Gateway is more resilient. Automatically provisions for all AZs in the VPC you choose. Interface only provisioned into the AZ you choose.
