Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Create Alias DNS Record for Root Domain

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that a DNS Alias record is created for the root domain name within your Amazon Route 53 hosted zone. An Alias record is a special DNS record type that allows you to create an A record for the root domain and point it to the fully qualified domain name (FQDN) of an AWS resource such as a Network Load Balancer (NLB), an S3 website endpoint, or a CloudFront web distribution. Before running this rule by the Trend Cloud One™ – Conformity engine, your root domain name must be configured in the rule settings, on your Conformity account console.

Security

Alias records provide a Route 53–specific extension to DNS functionality and can save you time as the Route 53 service automatically recognizes changes in the DNS records that the Alias record refers to. For example, suppose an Alias record for domain.com points to a load balancer at aws-prod-elb.us-east-1.elb.amazonaws.com. If the IP address of the load balancer changes, Amazon Route 53 will automatically reflect those changes in DNS responses for domain.com without any changes to the hosted zone that contains the DNS records for the root domain. Therefore, to point the root domain name to a supported AWS cloud resource such as an S3 endpoint or a CloudFront web distribution, an Alias DNS record set should be created.

Note: Make sure that you replace all <root_domain_name> placeholders outlined in the conformity rule content with your own root domain name.


Audit

To determine if there is an Alias record set created for the root domain within your Amazon Route 53 hosted zones, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, accessCreate DNS Alias Record for Root Domain conformity rule settings, and copy the root domain name configured for your application (e.g. <root_domain_name>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

04 In the main navigation panel, under Dashboard, choose Hosted zones.

05 Click inside the Filter hosted zones by property or value box, select Domain name, paste the name of your root domain copied at step no. 1, and press Enter. If the filtering process is not returning any results, there is no Amazon Route 53 hosted zone created for your domain name, therefore the Audit process ends here. If the Amazon Route 53 console returns a public hosted zone for your domain name, continue the Audit process with the nest step.

06 Click on the domain name of the public hosted zone returned by the service console.

07 In the Records section, perform the following:

  1. Select A from the Type dropdown menu to list all the A DNS records created for the selected hosted zone.
  2. Select Alias from the Alias dropdown menu to filter the existing results (i.e. A records) and list only the Alias records created for the selected hosted zone. If this filtering method is not returning any Alias records, there are no DNS Alias records created for the root domain name of your application, within the selected Amazon Route 53 hosted zone.

08 If required, repeat steps no. 6 and 7 for other hosted zones created within your AWS cloud account.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, accessCreate DNS Alias Record for Root Domain conformity rule settings, and copy the root domain name configured for your application (e.g. <root_domain_name>).

02 Run list-hosted-zones command (OSX/Linux/UNIX) using the name of the domain copied at the previous step as the identifier parameter and custom query filters to get the ID of the Amazon Route 53 hosted zone created for the specified domain. Replace <root_domain_name> with your own root domain name:

aws route53 list-hosted-zones
  --query "HostedZones[?Name == '<root_domain_name>.'].Id"

03 The command request should return one of the following outputs:

  1. If the list-hosted-zones command output returns an empty array (i.e. []), as shown in the example below, there is no Amazon Route 53 hosted zone created for your root domain name, therefore the Audit process ends here:
    []
    
  2. If the command output returns the ID of the hosted zone associated with your root domain name, as shown in the output example below, continue the Audit with the next step:
    [
    	"/hostedzone/ABCD1234ABCD1234ABCD"
    ]
    

04 Run list-resource-record-sets command (OSX/Linux/UNIX) using the ID of the Amazon Route 53 hosted zone returned at the previous step as the identifier parameter, to describe each Alias record created for the specified hosted zone:

aws route53 list-resource-record-sets
  --hosted-zone-id "/hostedzone/ABCD1234ABCD1234ABCD"
  --query 'ResourceRecordSets[?AliasTarget != null]'

05 The command output should return the metadata of the Alias record configured for the root domain name (if any):

[]

06 If required, repeat steps no. 4 and 5 for other hosted zones available in your AWS cloud account.

Remediation / Resolution

To create and configure a DNS Alias record for your root domain name, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"EC2Instance": {
			"Type": "AWS::EC2::Instance",
			"Properties": {
				"ImageId": "ami-0123456789abcdef0",
				"InstanceType": "c5.xlarge",
				"KeyName": "cc-ssh-key",
				"SubnetId": "subnet-0123456789abcdefa",
				"SecurityGroupIds": "sg-0123456789abcdef1"
			}
		},
		"Route53HostedZone": {
			"Type": "AWS: : Route53: : HostedZone",
			"Properties": {
				"HostedZoneConfig": {
					"Comment": "Route53 public hosted zone for domain.com"
				},
				"Name": "domain.com",
				"HostedZoneTags": [
					{
						"Key": "Owner",
						"Value": "IT"
					}
				]
			}
		},
		"Route53Record": {
			"Type": "AWS::Route53::RecordSet",
			"Properties": {
				"HostedZoneName": {
					"Ref": "Route53HostedZone"
				},
				"Name": "www.domain.com",
				"Type": "A",
				"TTL": "3600",
				"ResourceRecords": [
					{
						"Fn::GetAtt": [
							"EC2Instance",
							"PublicIp"
						]
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	EC2Instance:
		Type: AWS::EC2::Instance
		Properties:
		ImageId: ami-0123456789abcdef0
		InstanceType: c5.xlarge
		KeyName: cc-ssh-key
		SubnetId: subnet-0123456789abcdefa
		SecurityGroupIds: sg-0123456789abcdef1
	Route53HostedZone:
		Type: 'AWS: : Route53: : HostedZone'
		Properties:
		HostedZoneConfig:
			Comment: Route53 public hosted zone for domain.com
		Name: domain.com
		HostedZoneTags:
			- Key: Owner
			Value: IT
	Route53Record:
		Type: AWS::Route53::RecordSet
		Properties:
		HostedZoneName: !Ref 'Route53HostedZone'
		Name: www.domain.com
		Type: A
		TTL: '3600'
		ResourceRecords:
			- !GetAtt 'EC2Instance.PublicIp'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_instance" "ec2-instance" {
	ami                    = "ami-0123456789abcdef0"
	instance_type          = "c5.xlarge"
	key_name               = "cc-ssh-key"
	subnet_id              = "subnet-0123456789abcdefa"
	vpc_security_group_ids = ["sg-0123456789abcdef1"]
}

resource "aws_eip" "elastic-ip" {
	instance = aws_instance.ec2-instance.id
	domain   = "vpc"
}

resource "aws_route53_zone" "route53-hosted-zone" {
	name    = "domain.com"
	comment = "Route53 public hosted zone for domain.com"
	tags    = {
		Owner = "IT"
	}
}

resource "aws_route53_record" "route53-record" {
	zone_id = aws_route53_zone.route53-hosted-zone.zone_id
	name    = "www.domain.com"
	type    = "A"
	ttl     = "3600"
	records = [aws_eip.elastic-ip.public_ip]
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the main navigation panel, under Dashboard, click Hosted zones.

04 Click on the domain name of the hosted zone that you want to reconfigure.

05 In the Records section, choose Create record to initiate the Alias DNS record setup process, then perform the following actions:

  1. For Record name, provide the name of the root domain set for your application (the domain name configured within the conformity rule settings).
  2. For Record type, select A – Routes traffic to an IPv4 address and some AWS resources.
  3. Toggle the Alias button to specify that you want the new record to be an Alias for an AWS cloud resource or Alias to another record available in the hosted zone.
  4. For Route traffic to, choose the type of the AWS resource, such as a CloudFront web distribution or an Amazon S3 website endpoint, to route the traffic to. Then specify the applicable values, such as the AWS region where you created the selected AWS resource, and the resource that you want to route traffic to.
  5. For Routing policy, choose the routing method appropriate for the new Alias record, based on your application requirements.
  6. For Evaluate target health, choose whether or not to evaluate the health of your new Alias record set.
  7. Choose Create records to add the new Alias record set to your Amazon Route 53 hosted zone.

06 If required, repeat steps no. 4 and 5 for other hosted zones created within your AWS cloud account.

Using AWS CLI

01 To create the required Alias record and add it to your DNS hosted zone, you must create first an Amazon Route 53 change file, declare the new Alias DNS record, and save the record definition to a JSON file named root-domain-alias-record.json. Replace <root-domain-name>, <hosted-zone-id>, and <target-resource-dns-name> with your own details:

{
	"Comment": "Alias DNS record for <root-domain-name>.",
	"Changes": [
	{
		"Action": "CREATE",
		"ResourceRecordSet": {
			"Name": "<root-domain-name>.",
			"Type": "A",
			"AliasTarget": {
				"HostedZoneId": "<hosted-zone-id>",
				"EvaluateTargetHealth": false,
				"DNSName": "<target-resource-dns-name>."
			}
		}
	}
	]
}

02 Run change-resource-record-sets command (OSX/Linux/UNIX) using the ID of hosted zone that you want to reconfigure as the identifier parameter and the Amazon Route 53 change file defined at the previous step (i.e. root-domain-alias-record.json) as command parameter, to add a new Alias DNS record set to the selected hosted zone:

aws route53 change-resource-record-sets
  --hosted-zone-id "/hostedzone/ABCD1234ABCD1234ABCD"
  --change-batch file://root-domain-alias-record.json

03 The command output should return the metadata for the new DNS record set (including the ID of the change file used – highlighted):

{
	"ChangeInfo": {
		"Status": "PENDING",
		"Comment": "Alias DNS record for <root-domain-name>",
		"SubmittedAt": "2020-08-11T15:00:00.000Z",
		"Id": "/change/ABCDABCDABCDABCDABCD"
	}
}

04 Run get-change command (OSX/Linux/UNIX) using the ID of the Route 53 change file returned at the previous step as the identifier parameter, to describe the status of the newly created record set:

aws route53 get-change
  --id "/change/ABCDABCDABCDABCDABCD"

05 The command output should return the current status of the DNS record batch request. The current status should be INSYNC, which indicates that the change was fully propagated to all Amazon Route 53 DNS server nodes:

{
	"ChangeInfo": {
		"Status": "INSYNC",
		"Comment": "Alias DNS record for <root-domain-name>",
		"SubmittedAt": "2021-08-12T15:00:00.000Z",
		"Id": "/change/ABCDABCDABCDABCDABCD"
	}
}

06 If required, repeat steps no. 1 – 5 for other hosted zones available in your AWS cloud account.

References

Publication date Apr 18, 2018