breakitdown
Published in

breakitdown

Everybody knows DNS

The curious life of an engineer starts with a single ping…

Photo by Alina Grubnyak on Unsplash

What is expected from DNS?

  • Help you discover the host by a name as simple as that. But modernization or cloud-native principles, use this discovery mechanism in distributed computing to create a resilient, fail-save, high available architectures. We are not going to talk about Eureka, Istio, Kubernetes anything here…only DNS.

What more default expectations of a DNS?

  • Speed
  • Security

How is the speed achieved?

  • BGP — Wikipedia’s definition, BGP is designed to exchange routing and reachability information between autonomous systems on the Internet.BGP is responsible for determining the most suitable route according to the information collected and an organization’s routing policy, which is based on cost, reliability, speed
  • Caching — Resolver-side cache, few other intelligence on cache misses like Prefetch, Refetch on TTL

How is security handled?

  • Being an Authority source for a hostname.
  • Prevent attacks- DDOS, Amplification Attacks.
  • DNSSEC — helps in Origin Authentication, Denial of existence, Data Integrity.

DNS Record type (popular ones )

  • A (ipv4 address record) — 10.20.100.10
  • AAAA (IPv6 address record) — 2001:0db8:85a3:0000:0000:8a2e:0370:7334
  • CNAME (canonical name record) — www.google.com
  • CAA (certification authority authorization)
  • MX (mail exchange record)
  • NS (name server record)
  • SOA (start of authority record)
  • SRV (service locator)
  • TXT (text record)

Unix Command to get information on records

dig is the command ex:

DNS Record Types ( Special ones )

  • DNSKEY — The DNSSEC key from another operator for secure transfer. This recordset type can only be added to a DNSSEC-enabled zone in the Transfer state.
  • DS — The DNSSEC Key fingerprint for a secure delegated zone. This record set type does not activate DNSSEC for a delegated zone unless you enable (and activate) DNSSEC for this zone.
  • SSHFP — The SSH server algorithm number, fingerprint type number, and key fingerprint. Use this record type if you have enabled DNSSEC for this zone.

Common algorithms used in DNS products are

  • The flavor of Dijkstra’s Algorithm
  • The flavor of Distance Vector Algorithms
  • Bloom filter
  • +there dozens for different use cases like failover, latency check, cache

Common techniques used for DDOS preventions are

  • Blackhole routing — the network traffic is directed to a ‘black hole’ where both the malicious traffic and non-malicious traffic gets lost in the black hole.
  • Rate limiting — controls the rate of traffic that is sent or received by a network interface.
  • Blacklisting / whitelisting — very basic technique

What are the popular cloud options?

  • Route 53 — AWS
  • Cloud DNS — GCP
  • Azure DNS

Fun facts — Route53 ( heard from a friend ! )

  • “Route” because it’s a DNS service
  • “53” default port of the DNS service is 53

Special DNS Record in Route53 — Alias Record

Alias records are unique and only exist in Route53. It is used to reach AWS resource record sets in your hosted zone toS3 buckets, ELB, Cloud Front, Elastic Beanstalk environments. Alias records to map custom domain names (such as docs.foo.com) both to API Gateway custom regional APIs and edge-optimized APIs and to Amazon VPC interface endpoints.

What are the Route53 routing policies?

  • Simple
  • Failover for Active-Passive scenarios
  • Geolocation for traffic based on the location of users(clients)
  • Geoproximity for traffic based on resources ( resources )
  • Latency for traffic based on resource latency checks
  • Multivalue returns 8 healthy resources
  • Weighted for hit based

Some cloudformation templates for route53

What is Traffic Flow in Route53?

Traffic flow simplifies the process of creating and maintaining records in large and complex configurations. It has visual editor, versioning capability, automatic record creation, and updates in public hosted zone, essential step for geo proximity routing policy.

What is Route 53 Resolver?

Route 53 Resolver is used for DNS resolution for hybrid clouds.

Route 53 Resolver Endpoints.

  • Inbound query capability is provided by Route 53 Resolver Endpoints, allowing DNS queries that originate on-premises to resolve AWS hosted domains.
  • Connectivity needs to be established between your on-premises DNS infrastructure and AWS through a Direct Connect (DX) or a Virtual Private Network (VPN).
  • Endpoints are configured through IP address assignments in each subnet for which you would like to provide a resolver.

For Deep Dives

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store