23

I've read through all the AWS docs I can find and GoogleFoo has not resulted in anything.

My case here is we have one domain example.com and up to now we have used it only for Public records. There is one Hosted Zone set to Public. I want to now create a subdomain for private records to use inside of our VPC group for our application (e.g. to point at an ElastiCache instance).

I attempted to create private.example.com as a Private Hosted Zone pointing at our VPC and then created cache.private.example.com as a record under it but it will not resolve.

I am curious if I can configure a subdomain of our main domain somehow?

example.com - Public
** app.example.com 
private.example.com - Private
** cache.private.example.com - VPC

OR

Can also create a Private Hosted Zone with the same top level domain example.com? I am nervous to try that because I do not want to affect the application. 

example.com - Public
** app.example.com
example.com - Private
** cache.example.com - VPC
beefaroni
  • 971
  • 1
  • 6
  • 7
  • Why do you crested two subdomains "private.example.com" and "cache.private.example.com" – Piyush Patil Jun 28 '16 at 19:13
  • @error2007s I was attempting to use the entire private.example.com subdomain as the private hosted zone. I will only have one record in it for now but will have more in the future. – beefaroni Jun 28 '16 at 19:57
  • Check below answer – Piyush Patil Jun 28 '16 at 19:58
  • Define "it will not resolve." What happens when you try? What happens if you put a conflicting record in the public zone for (e.g. cache.private.example.com)? If the public record resolves inside the VPC then you have a misconfiguration, which we'll need to pinpoint. – Michael - sqlbot Jun 29 '16 at 01:55
  • 3
    No, don't create a private example.com zone unless you are prepared to duplicate all the records from the public zone. Private masks public at the same level or below. – Michael - sqlbot Jun 29 '16 at 02:02

2 Answers2

11

For Googlers trying to "subsetting" a public host zone, or to make a private host zone "fallback" or "extend" to public. Read on.

Firstly, R53 is authoritative, means you have to provide exact resolution, so the common way of using different BIND views will not work. Also when host zone names overlap, the private one prevails.

Secondly, R53 will determine which host zone to use based on "specificity". So when user asks for www.example.com, then a host zone named www.example.com prevails another named example.com. This is something we can make use of.

Follow the procedure:

  • Create a public host zone for your public DNS record (e.g. example.com), or just use any other public DNS record and skip this step
  • Create a private host zone for each of your sub domain name that has a local / private mirror / cache (e.g. www.example.com)
  • Create a default record set for each of the private host zones (leaving the "Name" field empty) and point them to local addresses
  • Attach the private host zones to your selected VPC's

In this way, if your machine asks for www.example.com, and a private host zone matches, it will return local addresses, otherwise, it will fallback to use the public host zone.

The pitfall for this solution is that R53 charges you by number of host zones, so you will have to pay a bit more. Also this is a bit hacky. Otherwise it eliminates the complexity of creating and managing your own BIND server, syncing public records, etc.

dz902
  • 4,782
  • 38
  • 41
  • This is accurate. But I would add that once you create, for example, a "www.example.com" private hosted zone, then anything under that will also use that private hosted zone. So trying to get to "server2.www.example.com" will result in looking up its IP in the "www.example.com" private hosted zone, not in the public zone. – Todd Walton Nov 03 '21 at 18:06
8

You will need to have a different domain for the private zone. Something like "example.internal" Then you could have "cache.example.internal"

cache.private.example.com will not resolve in your current setup, because it will be looking to example.com to resolve that dns. Also note it will only resolve inside the VPC.

Matthew McCants
  • 230
  • 1
  • 3
  • I found this blurb which lead me to believe example 2 was possible, but was unsure it it only worked for "split-view" or could work as I laid out. http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html See the section on "Split View" – beefaroni Jun 28 '16 at 20:01
  • 1
    @MatthewMcCants, no. One private hosted zone at private.example.com will coexist just fine with a public zone example.com and have exactly the desired behavior -- private records visible only internally, public records outside public.example.com visible in and out. There is no conflict nor ambiguity in this configuration. The private masks the public at the apex of the private zone and below -- not above. – Michael - sqlbot Jun 29 '16 at 02:07