architecting dns for windows on aws
TRANSCRIPT
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Architecting DNS for Windows
on AWS
Dean Suzuki,
5/4/2020
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hybrid DNS Design
• Active Directory relies upon DNS
• Many AWS services leverage DNS
• Most customers have an existing DNS architecture
• How do you integrate the two? Hybrid DNS design.
• But first, some AWS DNS concepts.
For more information, please watch a great RE:Invent 2019 presentation by Gavin
McCullagh on Hybrid DNS and Route 53 resolver
(https://www.youtube.com/watch?v=_Z5jAs2gvPA)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DNS in AWS
DNS provided by Route 53
In subnet, Route 53 DNS endpoint is at network address
+2.
This address resides on VM host. It is not reachable from
on-premises hosts.
E.g. if subnet is 10.0.1.0/24, then Route 53 DNS endpoint
is at 10.0.1.2.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EC2 Autojoin and DNS
• If you have Managed AD or AD
Connector, then when you create a
Windows EC2 instance, you can
auto-join to Active Directory.
• When you choose this setting,
AWS sets the DNS settings on the
NIC inside the EC2 instance to the
IP addresses of the DNS servers
provided by Managed AD or AD
Connector.
• AWS then joins the instance to the
AD domain.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EC2 Autojoin and DNS
• If you have Managed AD or AD
Connector, then when you create
an EC2 instance, you can have it
auto-join Active Directory.
• When you choose this setting,
AWS sets the DNS settings on the
NIC inside the EC2 instance to the
IP addresses of the DNS servers
provided by Managed AD or AD
Connector.
• AWS then joins the instance to the
AD domain.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DNS and EC2 instances not using domain autojoin
• If you launch an EC2 Linux instance or Windows instance and don’t
use the domain autojoin capability, then the DNS settings of the
instance are provided by the DHCP settings of the VPC.
• The DHCP settings are controlled by the DHCP option set.
• By default, the DHCP settings provide the Route 53 network address
+2 address.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Route 53 Resolver: Inbound endpoints
• Allow on-premises resolvers query Route 53 Resolver
• Creates routable ENIs in VPC reachable over AWS
Direct Connect or VPN
• Limit: 10,000 QPS per ENI
AWS Cloud
Corporate
Network
VPC
Availability Zone
Availability Zone
Direct
Connect
Clients
DNS
Resolver
ServersInstances
Instances
Inbound
Resolver
Resolver
Inbound
VPC +2
VPC +2
Route 53 Resolver: Outbound endpoints
• Path for the Route 53 Resolver to query your DNS Resolvers
• Creates source ENIs in your VPC
• Usable by many VPCs
• Limit: 10,000 QPS per ENI
AWS Cloud
Corporate
Network
VPC
Availability Zone
Availability Zone
Direct
Connect
Clients
DNS
Resolver
ServersInstances
Instances
Resolver
Resolver
VPC +2
VPC +2
Outbound
Outbound
Zones
mycompany.com
168.192.in-addr.arpa
Query: foo.mycompany.com/A
Route 53 Resolver Rules
• Configure how Route 53 Resolver makes queries
• Two types: FORWARD and SYSTEM
1. Private DNS
DNS Resolver 1
DNS Resolver 2
Route 53 Resolver Processing Order
Outbound Endpoints: Multiple VPCs
• Do I need multiple outbound endpoints for multiple VPCs?
• No. Share and associate rules to many VPCs.
• Do I need to share Outbound Endpoints between VPCs/Accounts?
• No. When you associate a rule, the endpoint is shared implicitly.
• What if the VPCs are in different AWS accounts?
• Resource Access Manager shares Resolver Rules cross-account.
• Do I need VPC Peering or Transit Gateway?
• No.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hub and spoke
AWS CloudCorporate
Network
HUB VPC
Direct
ConnectClients
DNS
Resolver
Servers
Resolver
Spoke VPC2
Instances
Spoke VPC1
Instances
Outbound
Outbound
VPC +2 VPC +2
Zones
mycompany.com
168.192.in-addr.arpa
Query: foo.mycompany.com/A
Forward Rule:
mycompany.com InstancesVPC +2
Forward Rule:
mycompany.com
Forward Rule:
mycompany.com
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hybrid DNS Architecture: Recommended if not using domain auto-join
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hybrid DNS: Recommended if using Domain AutoJoin
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hybrid DNS Architecture: Option without R53 Resolvers
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Keys Differences if not using Route 53 Resolvers
Managed Limits Caching Cost Blast
Radius
Query
Metrics
Inbound
R53
Endpoints
Fully
Managed
10K QPS per ENI
At
Resolver
Service
$0.125
per hour per ENI
Zonal Yes
Forwarding
to AD
instances
1024 PPS
per
Forward
Instance
Yes EC2
Instance
pricing
Zonal No
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD on EC2 Hybrid DNS Options
Previous slides showed using AWS Managed Microsoft AD.
If you are using AD on EC2, then
• DNS zone is shared across on-premises and AWS on
domain controllers.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hybrid DNS with AD running on EC2
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Reverse Record Lookup (PTR) from On-premises DNS
For customer that need to resolve the PTR records
for hosts in AWS from DNS client on-premises, the
following section walks through how to setup this
architecture.
• For instances created in AWS, reverse records
are registered in VPC DNS (see right)
• Step 1: Create Route 53 inbound resolver.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Reverse Record Lookup (PTR) from On-premises DNS
Step 2: Create a Stub Zone in the on-
premises DNS server for the reverse lookup
zone (e.g. 0.10.in-addr-arpa) that exists in
AWS
• On the configuration of the stub zone,
specify the IP address of your Route 53
inbound resolvers (note the IP
addresses in the picture are for my lab.
Yours will be different.)
• This allows on-premises DNS clients to
issue reverse lookup queries for the
AWS instances
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Reverse Record Lookup (PTR) from On-premises DNS
Step 3: Create conditioner forwarder in the on-
premises DNS to resolve the forward lookup of the
AWS zone (e.g. ec2.internal)
This allows on-premises DNS clients to issue DNS
forward queries for the AWS instances by their
internal DNS names.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hybrid DNS Summary
• Use Active Directory Integrated zones for DNS with secure updates
• Use Domain Controllers as DNS servers since it supports dynamic updates.
Other DNS servers may not support these features.
• Keep the DNS name resolution local to the region and do not cross the region
boundary.
• If you have Route53 private zones that need to be resolved, you can setup
conditional forwarding on the DC’s to point to .2 DNS resolver.
• For setting up hybrid DNS resolution with your on-premises, you can use
Route53 hybrid resolvers.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
References
For more information, please watch a great RE:Invent 2019 presentation by Gavin
McCullagh on Hybrid DNS and Route 53 resolver
(https://www.youtube.com/watch?v=_Z5jAs2gvPA)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.