0

We have several servers on AWS VPC, but all have a 'public' face via DNS, handled with Route53. The problem is that when one server looks up the address of another server via DNS, if the entry is an 'A' record, it gets the public IP, not the AWS 'private' IP, and transfers go via the external network address.

If on the other hand I configure the domain as a CNAME pointing the the AWS public DNS name, like this:

CNAME  super.domain.com  ec2-1-2-3-4.compute-1.amazonaws.com

then lookups from 'outside' the VPC get the real external IP address, and lookups from 'inside' get the local 10.x.x.x address. This is exactly as I want it. Now the problem comes that these servers need to send mail, and pretty much everyone (mailgun, mandrill, etc.) requires SPF and DKIM records. But you can't mix those TXT records with a CNAME.

I know I could use /etc/hosts files on the servers to pre-empt the DNS lookup and use A records, but there are 14 servers and growing, and every time one of them is restarted, I'd have to update all the hosts files - seems like a recipe for messing things up.

My question is this: Is there a way to set up AWS Route53 so I can take advantage of the automatic internal/external resolution of the Amazon public DNS name, and still provide effective SPF and DKIM records? I did ask this on the AWS forum, but didn't get any help there...

Mailgun is probably closest, in that you can use a subdomain for the SPK/DKIM records (e.g. mg.super.domain.com), which then doesn't clash with the CNAME records. But then you hit this problem, the solution to which appears to be an A record, and I'm back to having to maintain many records when the instance IP addresses change!

Community
  • 1
  • 1
dsl101
  • 1,715
  • 16
  • 36
  • That is an interesting problem, that I'm reasonably sure there's not a solution for. (at least not with regards to the CNAME/TXT mixing) - would it be possible to have super.subdomain.domain.com? – Michael B Apr 08 '16 at 20:59
  • I'm coming to the same conclusion having thought about it over the weekend. From what I read on that other post I linked to, adding further subdomains just pushes the problem downwards. At least you _can_ then use an A record there for receiving mailservers not to bounce messages, as that won't clash like the CNAME. It's marginally better, as at least I get the AWS internal/external resolution for the top domain. But I still have to go round and update IP addresses every time the server is restarted which is what I really wanted to avoid. – dsl101 Apr 11 '16 at 07:20
  • Could you configure a private VPC Hosted Zone and use those private R53 domains between your servers internally, while using the public R53 records externally? Just add a .internal or something to your domain. Public: server1.domain.com Private: server1.domain.internal – Ken Hundley Nov 09 '17 at 19:35
  • I guess using different names internally and externally would be part of the solution, although it doesn't solve the original problem of getting AWS to just do the right thing :). I think we're just living with using external access between machines, or configuring the internal software to use local IPs where there's lots of transfer going on. – dsl101 Nov 10 '17 at 09:38

0 Answers0