What is Amazon Web Services DNS?
The Domain Name System (DNS) is a global infrastructure that translates human-readable hostnames into IP addresses. Organizations using Amazon Web Services (AWS) are running machines in the cloud, and need a mechanism to translate user requests into the correct Amazon IP address.
On the cloud, IP addresses can frequently change, as services move between physical machines and data centers. An AWS DNS solution must be able to adapt to these changes and propagate them quickly to DNS clients. Amazon’s official DNS solution is called Route 53.
What is Amazon Route 53?
Route 53 is a managed DNS service from Amazon Web Services, intended for managing DNS for machines and services deployed on Amazon’s public cloud. Route 53 connects user requests to infrastructure running on AWS, such as Amazon EC2 instances, ELB load balancers or Amazon S3 buckets.
Route 53 Key Features
- Traffic flow—routes end users to the endpoint that should provide the best user experience
- Latency-based routing—routes users to the AWS region that provides the lowest latency
- Geo DNS—routes users to an endpoint, depending on detected user geography
- Private DNS—for users of Amazon VPC, defines custom domain names without exposing DNS information publicly
- DNS failover—automatically redirects users to an alternative service in case of outage
- Health checks—monitors health and performance of applications
- Domain registration—AWS acts as a domain registrar, allowing you to select domain names and register for them with the AWS console
- Weighted round-robin load balancing—spreads traffic between several services via a round-robin algorithm
Route 53 Pricing
AWS charges several monthly rates depending on your usage:
- DNS zones—$0.50 per hosted DNS zone / month for the first 25 hosted zones, $0.10 for additional zones
- Policy records—$50 per DNS name (such as “www.example.com”)
- Standard queries—$0.4 per million queries for the first billion queries / month, thereafter $0.2 per million queries / month
- Latency-based routing queries—$0.6 per million queries for the first billion queries / month, thereafter $0.3 per million queries / month
- Geo-based queries—$0.7 per million queries for the first billion queries / month, thereafter $0.35 per million queries / month
- Health checks—first 50 AWS endpoints free, thereafter $0.5 / endpoint / month
- Domain registration—AWS provides a price sheet for domains across different TLDs
In April 2018, Russian hackers conducted a BGP attack against the Amazon Route 53 service, and hijacked 1,300 IP addresses owned by AWS and using Route 53 for DNS. The victim was a cryptocurrency website—hackers managed to redirect users to a spoofed duplicate site, and steal $160,000 in cryptocurrency.
Industry experts said that deploying DNSSEC (secure DNS) and HSTS (Google’s new, secure transport protocol) would have prevented users from being sent to a fake site.could have prevented the attack. At the time of this writing, Route 53 does not support either of these services, making it potentially vulnerable to attack.
How Amazon’s DNS Service Works
When a user accesses a web server using Route 53 DNS, the following process occurs:
- A user accesses www.example.com, an address managed by Route 53, which leads to a machine on AWS.
- The request for www.example.com is routed to the user’s DNS resolver (typically managed by the ISP or local network), and is forwarded to a DNS root server.
- The DNS resolver forwards the request to the TLD name servers for “.com” domains.
- The resolver obtains the authoritative name server for the domain—these will be four Amazon Route 53 name servers that host the domain’s DNS zone.
- The DNS resolver chooses one of the four Route 53 servers, and requests details for the hostname “www.example.com”.
- The Route 53 name server looks in the DNS zone for www.example.com, gets the IP address and other relevant information, and returns it to the DNS resolver.
- The DNS resolver returns the IP address to the user’s web browser, and also caches it locally, as specified by the Time to Live (TTL) parameter.
- The browser contacts the web server or other Amazon-hosted services using the IP address provided by the resolver.
- The website is displayed on the user’s web browser.
Amazon Route 53 Limitations
Amazon Route 53 is a robust DNS service with advanced features, but it has several important limitations:
- Route 53 private endpoints are not available over VPN/DirectConnect. When a private zone is created and associated with a VPC, Route 53 creates a DNS endpoint for that VPC. A forwarder is required so that on-premise clients can resolve records in a Route 53 hosted zone, however the Route 53 private endpoint address for the VPC is not routable across VPN or DirectConnect.
- Route 53 provides no forwarding or conditional forwarding options for domains used on an on-premise network.
- Route 53 does not support private zone transfers, for example, if you have the root level domain “example.com” registered somewhere, you cannot appoint Route 53 as the authoritative source for “cloud.example.com”.
You can implement several workarounds for forwarding Route 53 DNS queries to external servers—but this will still incur latency, because the requests must contact Amazon infrastructure first, and are only then forwarded to the external server.
In addition, at the time of this writing, Amazon Route 53 does not support the DNSSEC standard, which digitally signs DNS records to ensure they are identical to the information published by the DNS name server. DNSSEC can prevent several types of DNS attacks, including man in the middle (MITM) attacks.
AWS DNS Alternatives
While Route 53 is a natural option for managing DNS in Amazon’s ecosystem, it is possible to use third-party DNS providers. However, you need to make sure that your DNS provider is able to intelligently route traffic to the optimal endpoint, data center or geography in the same way that Route 53 does.
NS1 is a next-generation managed DNS service with advanced traffic routing capabilities. It uses a fast global network of DNS servers, and provides advanced capabilities such as anycast networking, point-and-click traffic management and data-driven content delivery.
NS1 provides a REST API and built-in integration with deployment and automation tools, allowing you to provide up-to-date information about your AWS servers, their physical location, data center, load, availability, and more. NS1 can then route traffic according to these parameters, provided in real time.
This means NS1 can provide similar features to Route 53—latency-based routing, geographic routing, health checks and DNS failover—and much more, because it allows you to route traffic based on any server attribute or traffic condition. Contact us for a demo to see how NS1 can help you manage traffic on AWS without the limitations of Route 53.