Uly.me

cloud engineer

dns

Outbound DNS

Here’s a typical setup for an Outbound DNS server.

What are unbound servers? Unbound servers are a validating, recursive and caching DNS server

Install Unbound DNS

yum install unbound

Configuration: /etc/outbound/outbound.conf

server:
        interface: 0.0.0.0
        access-control: 0.0.0.0/0 allow
        local-zone: "10.in-addr.arpa." nodefault
forward-zone:
        name: "10.in-addr.arpa."
        forward-addr: 169.254.169.253
forward-zone:
        name: "ec2.internal"
        forward-addr: 169.254.169.253
forward-zone:
        name: '.'
        forward-addr: 10.10.10.1
        forward-addr: 10.10.11.2

Unbound Start, Stop, Restart and Status

service outbound start | stop | restart | status

Route 53 Policy to Change Records

Here’s the IAM policy you’ll need to change Route 53 DNS records. Substitute with your own hosted zone id. 

{
   "Statement":[{
      "Effect":"Allow",
      "Action":["route53:ChangeResourceRecordSets"],
      "Resource":"arn:aws:route53:::hostedzone/*HOSTEDZONEID*"
      }
   ],
   "Statement":[{
      "Effect":"Allow",
      "Action":["route53:GetChange"],
      "Resource":"arn:aws:route53:::change/*"
      }
   ]
}

Add to policy to a user.

Change DNS Records in Route 53 via CLI

How to change DNS records in Route 53 via AWS CLI.

  • Assuming AWS CLI is already configured
  • Uses Route53 change-resource-record-sets to update DNS records
  • Substitute with your own hosted-zone-id
  • Uses JSON files containing record sets
  • See JSON file examples below 
cd /path/to/scripts/
# the command to switch to the elb
aws route53 change-resource-record-sets --hosted-zone-id xxxxxxxxxxxxxx --change-batch file://elb.json
# the command to switch to standard site
aws route53 change-resource-record-sets --hosted-zone-id xxxxxxxxxxxxxx --change-batch file://live.json

elb.json = points to AWS ELB (elastic load balancer)

{
   "Comment": "back to elb",
   "Changes": [
      {
         "Action": "UPSERT",
         "ResourceRecordSet": {
            "Name": "yourdomain.com",
            "Type": "A",
            "AliasTarget": {
               "HostedZoneId": "xxxxxxxxxxxxxx",
               "EvaluateTargetHealth": false,
               "DNSName": "xxxxxxxxxxxxx.us-east-1.elb.amazonaws.com."
            }
         }
      }
   ]
}

live.json = points to your standard site. Value is your IP Address.

{
   "Comment": "back to live",
   "Changes": [
      {
         "Action": "UPSERT",
         "ResourceRecordSet": {
            "Name": "yourdomain.com",
            "Type": "A",
            "TTL": 60,
            "ResourceRecords": [
               {
                  "Value": "xxx.xxx.xxx.xxx"
               }
            ]
         }
      }
   ]
}

Resolv.conf

Resolv.conf is a computer file used by various operating systems as a DNS resolver. The file is in plain text. It’s usually generated by the system administrator or a network program. The file is located in the /etc/ directory and contains the search domain as well a list of nameservers.

Here’s an example of the /etc/resolv.conf file.

search domain.com local.lan
nameserver 1.1.1.1
nameserver 8.8.8.8
nameserver 9.9.9.9

If you have problems resolving domain names, check this file first.

Failover Test

How to failover a website without actually doing a failover? It’s actually easier than you think. The key is to trick your computer that it’s pointing to a failover website. You can easily do this by editing your hosts file and adding a DNS entry. In both Linux and MacOS, you can edit the /etc/hosts file and add the failover site like the following below.

# /etc/hosts
# failover site
# xxx.xxx.xxx.xxx   yourdomain.com

xxx.xxx.xxx.xxx is the IP address of your failover site.
If you need to test the failover site, just uncomment the IP address.
Replace a comment if you’re done testing.

Choosing DNS Servers

Every once in a while (it doesn’t happen very often) DNS servers would stop resolving certain domains causing intermittent issues when accessing the Internet. To solve the DNS issues, I often switch DNS servers on my main router. Changing DNS servers may require rebooting your router.

So, here’s a list of DNS servers you could use on your router, in case the current DNS servers you are using is having problems. I primarily use OpenDNS and Google DNS servers, but others DNS servers are reliable as well.

OpenDNS

208.67.222.222 Primary
208.67.220.220 Secondary

Google

8.8.8.8 Primary
8.8.4.4 Secondary

Comcast

75.75.75.75 Primary
75.75.76.76 Secondary

AT&T DSL

68.94.156.1 Primary
68.94.157.1 Secondary

UltraDNS

156.154.70.1 Primary
156.154.71.1 Secondary

ScrubIt

67.138.54.100 Primary
207.225.209.66 Secondary

DNSResolvers

205.210.42.205 Primary
64.68.200.200 Secondary