DNS: Scalability and High Availability on AWS

Transcript

1. DNS Pierre GOUDJO Scalability and High Availability

2. None
3. None
4. None
5. None

6. DNS resolver

7. DNS Resolver • DNS server often managed by an ISP

   • Also called a recursive name server • Acts as an intermediary between user requests and DNS name servers • Sends requests to a sequence of DNS servers until it gets the response

8. Root Nameserver

9. Root Server • Respond by directing the resolver to a

   TLD nameserver • Overseen by the ICANN • 13 DNS root nameservers addresses know by every recursive resolver • Multiple copies of each one and Anycast routing to route to the closest one • 632 di ff erent servers (as of October 2016)

10. TLD Nameserver

11. TLD nameserver • Maintain information for all the domain sharing

    a common domain extension (eg .com, .net …) • Respond by pointing the resolver to an authoritative nameserver • 2 groups • Generic TLD: .com, .org, .net, .edu, .gov • Country code TLD: .uk, .fr, .us, .ru

12. Authoritative nameserver

13. Authoritative nameserver • Name server that has the de fi

    nitive information about one part of the Domain Name System • For example, if a DNS receives a request for www.example.com it returns the IP address 192.0.0.2.33

14. DNS lookup steps

15. 1. User types example.com into a browser and the query

    travels into the internet and is received by a DNS recursive resolver DNS lookup steps

16. 1. User types example.com into a browser and the query

    travels into the internet and is received by a DNS recursive resolver 2. The resolver queries the DNS root nameserver (.) DNS lookup steps

17. 1. User types example.com into a browser and the query

    travels into the internet and is received by a DNS recursive resolver 2. The resolver queries the DNS root nameserver (.) 3. The root server responds to the resolver with a TLD DNS domain server which stores information for its domains DNS lookup steps

18. 1. User types example.com into a browser and the query

    travels into the internet and is received by a DNS recursive resolver 2. The resolver queries the DNS root nameserver (.) 3. The root server responds to the resolver with a TLD DNS domain server which stores information for its domains 4. The resolver makes a request to the TLD server DNS lookup steps

19. 1. User types example.com into a browser and the query

    travels into the internet and is received by a DNS recursive resolver 2. The resolver queries the DNS root nameserver (.) 3. The root server responds to the resolver with a TLD DNS domain server which stores information for its domains 4. The resolver makes a request to the TLD server 5. The TLD server responds with the domain’s nameserver DNS lookup steps

20. DNS lookup steps

21. 6. The recursive resolver sends a query to the domain’s

    nameserver DNS lookup steps

22. 6. The recursive resolver sends a query to the domain’s

    nameserver 7. The IP address of example.com is the returned to the resolver DNS lookup steps

23. 6. The recursive resolver sends a query to the domain’s

    nameserver 7. The IP address of example.com is the returned to the resolver 8. The DNS resolver responds to the browser with the IP address initially requested DNS lookup steps

24. 6. The recursive resolver sends a query to the domain’s

    nameserver 7. The IP address of example.com is the returned to the resolver 8. The DNS resolver responds to the browser with the IP address initially requested 9. The browser makes the HTTP request to the IP address DNS lookup steps

25. 6. The recursive resolver sends a query to the domain’s

    nameserver 7. The IP address of example.com is the returned to the resolver 8. The DNS resolver responds to the browser with the IP address initially requested 9. The browser makes the HTTP request to the IP address 10.The server at this IP address returns the webpage to be rendered DNS lookup steps
26. None
27. None

28. But sometimes we need to manage a subdomain outside of

    an authoritative domain

29. blog.example.com ❓

30. That’s call DNS delegation

31. None

32. DNS nameservers store all these informations in zone file

33. None

34. Zone files contain several types of DNS records

35. DNS record that points to an IPv4 address A record

    example.com. 12127 IN A 182.71.233.70

36. DNS record that points to an IPv6 address AAAA record

    example.com. 12127 IN AAAA 2400:cb00:2049:1::adf5:3bf5

37. Identifies the servers mails should be delivered to for a

    domain MX record example.com. 12127 IN MX 0 example.com.

38. This record stores important information about the DNS zone SOA

    record example.com. 86321 IN SOA ns1.example.in. magesh.maruthamuthu.gmail.com. 2013110202 86400 7200 3600000 86400

39. This record stores important information about the DNS zone SOA

    record example.com. 86321 IN SOA ns1.example.in. magesh.maruthamuthu.gmail.com. 2013110202 86400 7200 3600000 86400 TTL

40. This record stores important information about the DNS zone SOA

    record example.com. 86321 IN SOA ns1.example.in. magesh.maruthamuthu.gmail.com. 2013110202 86400 7200 3600000 86400 Primary nameserver TTL

41. This record stores important information about the DNS zone SOA

    record example.com. 86321 IN SOA ns1.example.in. magesh.maruthamuthu.gmail.com. 2013110202 86400 7200 3600000 86400 Primary nameserver Administrator’s Email TTL

42. This record stores important information about the DNS zone SOA

    record example.com. 86321 IN SOA ns1.example.in. magesh.maruthamuthu.gmail.com. 2013110202 86400 7200 3600000 86400 Primary nameserver Administrator’s Email Zone fi le serial number TTL

43. This record stores important information about the DNS zone SOA

    record example.com. 86321 IN SOA ns1.example.in. magesh.maruthamuthu.gmail.com. 2013110202 86400 7200 3600000 86400 Primary nameserver Administrator’s Email Zone fi le serial number Refresh time interval Retry after failed refresh interval Retry after failed refresh interval Negative result TTL TTL

44. Identifies the servers mails should be delivered to for a

    domain TXT record example.com. 12127 IN TXT "This domain name is reserved for use in documentation"

45. Identifies the servers mails should be delivered to for a

    domain TXT record example.com. 12127 IN TXT "This domain name is reserved for use in documentation" example.com. 12127 IN TXT "v=spf1 ip4:182.71.233.70 +a +mx +ip4:49.50.66.31 ?all" example.com. 12127 IN TXT “v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:[email protected];"

46. This record is used to delegate a sub zone to

    a set of nameservers NS record sub.domain.tld. 12127 IN NS 0 ns.sub.domain.tld.

47. This record map one domain name to another CNAME record

    bar.example.com. CNAME foo.example.com.

48. CNAME record Restrictions • Must always point to another domain

    name, not an IP • Cannot coexist with another record for the same name. It’s not possible to have both a CNAME and TXT record for www.example.com • Cannot be used at the apex of a zone. Eg: Cannot do 
 yourdomain.com. CNAME some-id.ec2.amazonaws.com.

49. Non-standard record type to alias a domain to another. Can

    be use at the apex of the zone ALIAS/ANAME record yourdomain.com. ALIAS some-id.ec2.amazonaws.com.

50. Not supported by all DNS providers ALIAS/ANAME record Restrictions

51. By cleverly crafting your DNS responses it is possible to

    implement routing policies

52. • Simple routing policy: route tra ffi c to a

    single resource • Failover routing policy: con fi gure active-passive failover • Geolocation routing policy: route to resources based on user location • Geoproximity route policy: route to resource based on your resources location • Latency routing policy: route tra ff i c to region that provides the best latency • Multivalue answer routing policy: route to records selected at random from a pool • Weighted routing policy: route tra ff i c to multiple resources in speci fi ed proportions Routing policies

53. DNS by default is not a secure protocol

54. DNS Hijacking

55. Cache poisoning

56. None
57. None

58. Hosting, managing and securing a DNS architecture can be cumbersome

59. None

60. Public hosted zones

61. None

62. Public hosted zones • 4 nameservers assigned to the hosted

    zone • Possible to create reusable delegation set • All routing policies supported

63. Private hosted zones

64. None

65. Private hosted zones • Supported routing policies • No latency-based

    routing • No geolocation based routing • No geoproximity based routing • Limited to VPCs • Possible to be associated to multiples VPCs (300 max)

66. Route 53 Resolver

67. Local VPC domain names ↓ Private Zone Records ↓ Public

    DNS Records

68. Need more flexibility in hybrid scenarios

69. None
70. None

71. Traffic flow

72. Health checks

73. None

74. Type of health checks • Endpoint monitoring health checks •

    Calculated health checks • Cloudwatch health checks

75. Resources Route 53 can monitor • EC2 • S3 •

    ELB • Non AWS resources…

76. AWS Cloud Map

77. Tight integration of Route 53 and Cloud Map for DNS-based

    service discovery

78. Write DNS Records

79. Write DNS Records

80. None