DNS, Route53, CloudFront, WAF

John

 

DNS

All computers on the internet, from your smart phone or laptop to the servers that serve content for massive retail websites, communicate with one another by using numbers. These numbers, known as IP addresses, are in one of the following formats:

  • Internet Protocol version 4 (IPv4) format, such as 192.0.2.44
    • 32 bits (8 bits by 4 periods)
    • Over 4 billion address
  • Internet Protocol version 6 (IPv6) format, such as 2001:0db8:85a3:0000:0000:abcd:0001:2345
    • 128 bits
    • Over 34×10^38 address

The four numbers in an IP address are used in different ways to identify a particular network and a host on that network. Four regional Internet registries — ARIN, RIPE NCC, LACNIC and APNIC– assign Internet addresses from the following three classes:

  • Class A – supports 16 million hosts on each of 126 networks
  • Class B – supports 65,000 hosts on each of 16,000 networks
  • Class C – supports 254 hosts on each of 2 million networks

When you open a browser and go to a website, you don’t have to remember and enter a long number like that. Instead, you can enter a domain name like example.com and still end up in the right place. A DNS service such as Amazon Route 53 helps to make that connection between domain names and IP addresses.

https://qph.fs.quoracdn.net/main-qimg-834a447af0c2597659ef2c76fb2d5f06

Top Level Domain names are controlled by Internet Assigned Numbers Authority (IANA).

DNS Record Types

  • Address Mapping record (A Record)—also known as a DNS host record, stores a hostname and its corresponding IPv4 address.
  • IP Version 6 Address record (AAAA Record)—stores a hostname and its corresponding IPv6 address.
  • Canonical Name record (CNAME Record)—can be used to alias a hostname to another hostname. When a DNS client requests a record that contains a CNAME, which points to another hostname, the DNS resolution process is repeated with the new hostname.
  • Mail exchanger record (MX Record)—specifies an SMTP email server for the domain, used to route outgoing emails to an email server.
  • Name Server records (NS Record)—specifies that a DNS Zone, such as “example.com” is delegated to a specific Authoritative Name Server, and provides the address of the name server.
  • Reverse-lookup Pointer records (PTR Record)—allows a DNS resolver to provide an IP address and receive a hostname (reverse DNS lookup).
  • Certificate record (CERT Record)—stores encryption certificates—PKIX, SPKI, PGP, and so on.
  • Service Location (SRV Record)—a service location record, like MX but for other communication protocols.
  • Text Record (TXT Record)—typically carries machine-readable data such as opportunistic encryption, sender policy framework, DKIM, DMARC, etc.
  • Start of Authority (SOA Record)—this record appears at the beginning of a DNS zone file, and indicates the Authoritative Name Server for the current DNS zone, contact details for the domain administrator, domain serial number, and information on how frequently DNS information for this zone should be refreshed.
  • SPF Record – An SPF record is a Sender Policy Framework record. It’s used to indicate to mail exchanges which hosts are authorized to send mail for a domain. Used to catch spoofing or spam.

SOA Records

A Start of Authority record (abbreviated as SOA record) is a type of resource record in the Domain Name System (DNS) containing administrative information about the zone, especially regarding zone transfers. Normally DNS name servers are set up in clusters. The database within each cluster is synchronized through zone transfers. The SOA record for a zone contains data to control the zone transfer. This is the serial number and different timespans.

It also contains the email address of the responsible person for this zone, as well as the name of the primary master name server. Usually the SOA record is located at the top of the zone.

  • Name of the server that supplied the data for that zone
  • The administrator of zone
  • Current version of data
  • Number of seconds a secondary name server should wait before checking updates
  • Number of seconds a secondary name server should wait before retrying a failed zone
  • Maximum number of seconds that secondary name server can use data before expire
  • Default number of seconds for TTL
$TTL 86400
@   IN  SOA     startech60serve root.startech60serve.com. (
        2018110201  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
        IN  NS      startech60serve
        IN  A       192.168.1.3
        IN  MX 10   startech60serve
startech60serve     IN  A       192.168.1.3

NS Records

NS stands for ‘name server’ and this record indicates which DNS server is authoritative for that domain (which server contains the actual DNS records). A domain will often have multiple NS records which can indicate primary and backup name servers for that domain.

Example of an NS record:

example.com record type: value: TTL
@ NS ns1.exampleserver.com 21600

A Records

An A record maps a domain name to the IP address (Version 4) of the computer hosting the domain. An A record is used to find the IP address of a computer connected to the internet from a name.

The A in A record stands for Address. Whenever you visit a web site, send an email, connect to Twitter or Facebook, or do almost anything on the Internet, the address you enter is a series of words connected with dots.

For example, to access the DNSimple website you enter www.dnsimple.com. At our name server there’s an A record that points to the IP address 208.93.64.253. This means that a request from your browser to www.dnsimple.com is directed to the server with IP address 208.93.64.253.

A <address>

TTL Record

Time to Live in seconds. The length of time DNS record is cached on either the Resolving Server or the users own local PC. The lower the TTL, the faster changes to DNS records take to propagate throughout the internet.

CNAMES

Canonical Name (CName) used to resolve one domain name to another. For example, the following addresses point to the same IP Address

  • https://m.mysite.com
  • https://mobile.mysite.com (CNAME)

Alias Records

Alias records are like CNAME record in that it maps one DNS name (m.mysite.com) to another ‘target’ DNS name ‘m.mysite.com’ – but a CNAME cannot be used for naked domain names (zone apex record). For example, you cannot have a CNAME of mysite.com. Thats an A record or an Alias.

PTR

A PTR record is used to resolve an IP address to an domain name and is commonly referred to as reverse DNS. It is the record you should use to resolve an IP address to a domain name.

Differences of Records

These are the main differences:

  • The A record maps a name to one or more IP addresses when the IP are known and stable.
  • The CNAME record maps a name to another name. It should only be used when there are no other records on that name.
  • The ALIAS record maps a name to another name, but can coexist with other records on that name.
  • The URL record redirects the name to the target name using the HTTP 301 status code.

Important rules:

  • The ACNAME, and ALIAS records cause a name to resolve to an IP. Conversely, the URL record redirects the name to a destination. The URL record is a simple and effective way to apply a redirect for one name to another name, for example redirecting www.example.com to example.com.
  • The A name must resolve to an IP. The CNAME and ALIAS records must point to a name.

General rules:

  • Use an A record if you manage which IP addresses are assigned to a particular machine, or if the IP are fixed (this is the most common case).
  • Use a CNAME record if you want to alias one name to another name, and you don’t need other records (such as MX records for emails) for the same name.
  • Use an ALIAS record if you’re trying to alias the root domain (apex zone), or if you need other records for the same name.
  • Use the URL record if you want the name to redirect (change address) instead of resolving to a destination.

Protocols used by DNS

DNS uses both TCP and UDP. Note that UDP messages are not larger than 512 Bytes and are truncated when greater than this size.  DNS uses TCP for Zone transfer and UDP for name queries either regular (primary) or reverse. UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes. If a client doesn’t get response from DNS it must re-transmit the data using TCP after 3-5 seconds of interval.

TCP is a connection-oriented protocol and it requires data to be consistent at the destination and UDP is connection-less protocol and doesn’t require data to be consistent or don’t need a connection to be established with host for consistency of data.

UDP packets are smaller in size. UDP packets can not be greater then 512 bytes. So any application needs data to be transferred greater than 512 bytes require TCP in place.

 

Route 53

Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service. You can use Route 53 to perform three main functions in any combination: domain registration, DNS routing, and health checking. If you choose to use Route 53 for all three functions, perform the steps in this order:

1. Register domain names
Your website needs a name, such as example.com. Route 53 lets you register a name for your website or web application, known as a domain name.
2. Route internet traffic to the resources for your domain
When a user opens a web browser and enters your domain name (example.com) or subdomain name (acme.example.com) in the address bar, Route 53 helps connect the browser with your website or web application. See routing policies section below on how routes can be configured.
3. Check the health of your resources
Route 53 sends automated requests over the internet to a resource, such as a web server, to verify that it’s reachable, available, and functional. You also can choose to receive notifications when a resource becomes unavailable and choose to route internet traffic away from unhealthy resources.

Routing Policies

With a new Route53 created, we need to define the DNS records. When you create a record, you choose a routing policy, which determines how Amazon Route 53 responds to queries:

  • Simple routing policy – Use for a single resource that performs a given function for your domain, for example, a web server that serves content for the example.com website.
  • Failover routing policy – Use when you want to configure active-passive failover.
  • Geolocation routing policy – Use when you want to route traffic based on the location of your users.
  • Geoproximity routing policy – Use when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another.
  • Latency routing policy – Use when you have resources in multiple AWS Regions and you want to route traffic to the region that provides the best latency.
  • Multivalue answer routing policy – Use when you want Route 53 to respond to DNS queries with up to eight healthy records selected at random.
  • Weighted routing policy – Use to route traffic to multiple resources in proportions that you specify.

Health Checks

Amazon Route 53 health checks monitor the health and performance of your web applications, web servers, and other resources. Each health check that you create can monitor one of the following:

  • The health of a specified resource, such as a web server
  • The status of other health checks
  • The status of an Amazon CloudWatch alarm

Hosted Zones

A hosted zone is a container for records, and records contain information about how you want to route traffic for a specific domain, such as example.com, and its subdomains (acme.example.com, zenith.example.com). A hosted zone and the corresponding domain have the same name. There are two types of hosted zones:

 

Elastic Load Balancers

ALIAS in AWS can be used to resolve a resource such as an ELB. A CNAME cannot, it is to a specific A record only.

ELBs do not have predefined IPv4 addresses, instead they only have DNS names. This way AWS can switch where the ELB’s run and route to it dynamically using Route53.

 

CloudFront

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you’re serving with CloudFront, the user is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance.

  • If the content is already in the edge location with the lowest latency, CloudFront delivers it immediately.
  • If the content is not in that edge location, CloudFront retrieves it from an origin that you’ve defined—such as an Amazon S3 bucket, a MediaPackage channel, or an HTTP server (for example, a web server) that you have identified as the source for the definitive version of your content.

Edge Location 

This is the location where the content will be cached. This is separate to an AWS Region or AZ. The origin is all the files that the CDN will distribute. This can be S3 bucket, EC2 instance, ELB or Route 53. The distribution is the name given to the CDN which consists of a collection of edge locations. The edge location will pull from origin and kept based on TTL.

Distributions

Different distribution types are Web and RTMP. Web distribution for typical websites. RTMP is used for media streaming. Note that edge locations are not just for read, they can write to them too. Cached objects expire based on the TTL, but you can manually clear the cache as well. But there is a fee.

Create a web distribution if you want to:

  • Speed up distribution of static and dynamic content, for example, .html, .css, .php, and graphics files.
  • Distribute media files using HTTP or HTTPS.
  • Add, update, or delete objects, and submit data from web forms.
  • Use live streaming to stream an event in real time.

Create an RTMP distribution to speed up distribution of your streaming media files using Adobe Flash Media Server’s RTMP protocol. An RTMP distribution allows an end user to begin playing a media file before the file has finished downloading from a CloudFront edge location. Note the following:

  • To create an RTMP distribution, you must store the media files in an Amazon S3 bucket.
  • To use CloudFront live streaming, create a web distribution.

Restricted Viewer Access

Requires Signed URLS or Signed Cookies. Choose whether you want CloudFront to require users to access your content using a signed URL or a signed cookie. Additional configuration is required. In the Help, see “Serving Private Content through CloudFront”.

 

AWS WAF

AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync GraphQL API. AWS WAF also lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings.

  • Allow all requests except the ones you specify
  • Block all requests except the ones you specify
  • Count requests that match your criteria
  • Run CAPTCHA checks against requests

Using AWS WAF has several benefits:

  • IP addresses that requests originate from
  • Country that requests originate from
  • Values in request headers
  • Strings that appear in requests, either specific strings or strings that match regular expression (regex) patterns
  • Length of requests
  • Presence of SQL code that is likely to be malicious (known as SQL injection)
  • Presence of a script that is likely to be malicious (known as cross-site scripting)
  • Block/Allow requests based on rules/conditions
  • Rules can be reused for multiple applications
  • Real-time metric
  • Automation through the AWS WAF API

AWS WAF works by using the following control types:

  • Web ACLS – web access control list (ACL) to a set of AWS resources.
  • Rules – rule contains a statement that defines the inspection criteria and an action to take if web request meetst he criteria.
  • Rule Groups – rules can be used individually or in reusable rule groups. AWS Managed Rules provides managed rule groups, though custom own rule groups can also be created.

Pricing

With AWS WAF, you pay only for the web ACLs and rule groups that you create, and for the number of HTTP(S) requests that AWS WAF inspects. Simple rules that cost little to run use fewer WCUs than more complex rules that use more processing power. For example, a size constraint rule statement uses fewer WCUs than a statement that inspects against a regex pattern set.

 

Differences betwen WAF, Firewall Manager and AWS Shield

You can use AWS WAFAWS Firewall Manager, and AWS Shield together to create a comprehensive security solution.

It all starts with AWS WAF. You can automate and then simplify AWS WAF management using AWS Firewall Manager. Shield Advanced adds additional features on top of AWS WAF, such as dedicated support from the Shield Response Team (SRT) and advanced reporting.

If you want granular control over the protection that is added to your resources, AWS WAF alone is the right choice. If you want to use AWS WAF across accounts, accelerate your AWS WAF configuration, or automate protection of new resources, use Firewall Manager with AWS WAF.

Finally, if you own high visibility websites or are otherwise prone to frequent DDoS attacks, you should consider purchasing the additional features that Shield Advanced provides.

 

 

 

 

 

References

Official AWS Docs
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide

FAQs
https://aws.amazon.com/route53/faqs/