Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 80
  • Last Modified:

orphaned DNS entry

We have a split dns. Our ISP hosts the external zone. Because our web server is going on to AWS now, it has been offered to us to have the entry just for the web server on their dns servers, in the interest of less chance of outage.

My understanding is that there is only one SOA for a dns zone. One can replicate the entire zone, but not split off one entry. Is this correct?
0
sshield4
Asked:
sshield4
  • 6
  • 6
  • 2
2 Solutions
 
Jan SpringerCommented:
When you say that you have split DNS, do you mean that you are using two views or that your zone is authoritative with different answers from two different servers?
0
 
sshield4Author Commented:
Internally we have a DNS server in our DMZ zone for the internal IPs. For example if we go to our web server from inside, or our intranet server from inside, the addresses are not public addresses.
This Internal DNS server is authoritative from inside our network.

But for anyone accessing our web sites from outside the network, our ISP's dns server is authoritative. From outside there are public IP addresses.

My question is, short of replicating the whole zone, we can't give AWS' DNS server just one DNS entry, can we?
0
 
Steeve RoucauteCommented:
Your best bet would be to use Amazon Route 53 and configure your ns servers to be the Route53 ones. Then in your local DNS you can create an A record which would point the external IP of the EC2 instance.
Should you implement this, what I would recommend is to attach an Elastic IP to your EC2 instance so that the IP remain always the same. You could also create a pointer record to the AWS DNS name for your EC2 instance but there is no guarantee that this will always remain the same, whereas an Elastic IP is static.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Jan SpringerCommented:
To my knowledge, Route 53 doesn't do views.  So, it would take the place of providing external authority from your ISP.  It's strength is in failover but that's a completely different subject.
0
 
sshield4Author Commented:
So basically, we would have to MOVE our SOA to Route 53, away from our ISP,  for our entire zone, all the A records, alias records, MX record, etc, correct?
0
 
Steeve RoucauteCommented:
Yes, if you move the ns then you should have all records added to route53. One of the big advantages of Route53 is that you set the TTL very low, so any DNS changes that you will make would propagate in no time as opposed to several hours for most ISPs. Also, you can setup some routing rules based on availability and latency. A common one to setup being to route all your traffic to a S3 static site if your webserver is down. Route 53 will perform some healthchecks at regular intervals. Jan is correct that it will need to provide external authority.
I have looked back at your original question, and I am not sure what exactly you are trying to achieve? Why do you want to route only the traffic of the EC2 instance to via Route 53? As you could also route the traffic from your existing ISP to the EC2 webserver?
0
 
Jan SpringerCommented:
Oh, now I understand.  No, have one or the other for the entire zone -- it's easier to manage.  I like Route 53 resiliency but if you are happy, don't worry about moving DNS.
0
 
sshield4Author Commented:
Thank you both so much.

Indeed, I did ask about moving only the EC2 IP to the Route 53  because that is what we were told should happen. I did not think such a thing possible, but wanted to check with Experts.
1
 
Jan SpringerCommented:
It is.  But you are still relying on your primary DNS server to serve those NS records for that single FQDN.  That's why I feel that it's not work the trouble.  

Either move the entire zone for resiliency or not.
0
 
sshield4Author Commented:
Jan, Just to be sure what you are saying, a single record COULD go over to route53 but it would be a replication from our ISP's server, not independent?

I actually was not away one could do a partial replication.
0
 
Jan SpringerCommented:
It would the server that hosts the primary domain that would provide the NS record for that subdomain.  

It's not a partial replication, it's an identification of authority for part or all of a zone.
0
 
sshield4Author Commented:
It would not be a sub domain...Just one of the hosts.
0
 
Jan SpringerCommented:
Technically, you would make "www" a child or subdomain of "example.com" that could further be configured with hosts if you so chose.
0
 
sshield4Author Commented:
Oh, I see. Thanks so much for the explanation. Now I understand.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

  • 6
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now