Solved

orphaned DNS entry

Posted on 2016-09-07
14
67 Views
Last Modified: 2016-09-08
We have a split dns. Our ISP hosts the external zone. Because our web server is going on to AWS now, it has been offered to us to have the entry just for the web server on their dns servers, in the interest of less chance of outage.

My understanding is that there is only one SOA for a dns zone. One can replicate the entire zone, but not split off one entry. Is this correct?
0
Comment
Question by:sshield4
  • 6
  • 6
  • 2
14 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 41789515
When you say that you have split DNS, do you mean that you are using two views or that your zone is authoritative with different answers from two different servers?
0
 

Author Comment

by:sshield4
ID: 41789542
Internally we have a DNS server in our DMZ zone for the internal IPs. For example if we go to our web server from inside, or our intranet server from inside, the addresses are not public addresses.
This Internal DNS server is authoritative from inside our network.

But for anyone accessing our web sites from outside the network, our ISP's dns server is authoritative. From outside there are public IP addresses.

My question is, short of replicating the whole zone, we can't give AWS' DNS server just one DNS entry, can we?
0
 
LVL 1

Expert Comment

by:Steeve Roucaute
ID: 41789594
Your best bet would be to use Amazon Route 53 and configure your ns servers to be the Route53 ones. Then in your local DNS you can create an A record which would point the external IP of the EC2 instance.
Should you implement this, what I would recommend is to attach an Elastic IP to your EC2 instance so that the IP remain always the same. You could also create a pointer record to the AWS DNS name for your EC2 instance but there is no guarantee that this will always remain the same, whereas an Elastic IP is static.
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 
LVL 28

Expert Comment

by:Jan Springer
ID: 41789596
To my knowledge, Route 53 doesn't do views.  So, it would take the place of providing external authority from your ISP.  It's strength is in failover but that's a completely different subject.
0
 

Author Comment

by:sshield4
ID: 41789644
So basically, we would have to MOVE our SOA to Route 53, away from our ISP,  for our entire zone, all the A records, alias records, MX record, etc, correct?
0
 
LVL 1

Accepted Solution

by:
Steeve Roucaute earned 250 total points
ID: 41789652
Yes, if you move the ns then you should have all records added to route53. One of the big advantages of Route53 is that you set the TTL very low, so any DNS changes that you will make would propagate in no time as opposed to several hours for most ISPs. Also, you can setup some routing rules based on availability and latency. A common one to setup being to route all your traffic to a S3 static site if your webserver is down. Route 53 will perform some healthchecks at regular intervals. Jan is correct that it will need to provide external authority.
I have looked back at your original question, and I am not sure what exactly you are trying to achieve? Why do you want to route only the traffic of the EC2 instance to via Route 53? As you could also route the traffic from your existing ISP to the EC2 webserver?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 41789653
Oh, now I understand.  No, have one or the other for the entire zone -- it's easier to manage.  I like Route 53 resiliency but if you are happy, don't worry about moving DNS.
0
 

Author Comment

by:sshield4
ID: 41789691
Thank you both so much.

Indeed, I did ask about moving only the EC2 IP to the Route 53  because that is what we were told should happen. I did not think such a thing possible, but wanted to check with Experts.
1
 
LVL 28

Expert Comment

by:Jan Springer
ID: 41789703
It is.  But you are still relying on your primary DNS server to serve those NS records for that single FQDN.  That's why I feel that it's not work the trouble.  

Either move the entire zone for resiliency or not.
0
 

Author Comment

by:sshield4
ID: 41789769
Jan, Just to be sure what you are saying, a single record COULD go over to route53 but it would be a replication from our ISP's server, not independent?

I actually was not away one could do a partial replication.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 41789952
It would the server that hosts the primary domain that would provide the NS record for that subdomain.  

It's not a partial replication, it's an identification of authority for part or all of a zone.
0
 

Author Comment

by:sshield4
ID: 41789963
It would not be a sub domain...Just one of the hosts.
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 250 total points
ID: 41789971
Technically, you would make "www" a child or subdomain of "example.com" that could further be configured with hosts if you so chose.
0
 

Author Comment

by:sshield4
ID: 41789976
Oh, I see. Thanks so much for the explanation. Now I understand.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Macbook Sierra OS OpenVPN issue 13 113
Allow dynamic IP address to become static. 5 47
DNS Redirection 6 37
Replication problems 6 23
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question