- Knowledge Base
- Amazon Web Services
- Check for Root Domain Alias Records that Point to Load Balancers
Ensure that the root domain Alias record routes traffic to an associated Classic, Application, or Network Load Balancer. An Alias record provides a Route 53–specific extension to DNS functionality. Instead of an IP address or a domain name, an Alias record must contain a pointer to your load balancer. Before running this rule by the Trend Cloud One™ – Conformity engine, your root domain name must be configured in the rule settings, on your Conformity account console.
Your Amazon Route 53 hosted zone can hold a special record type called Alias that allows you to create an A record for the root domain and point it to the fully qualified domain (FQDN) of the load balancer associated with your application. In the same way records for all other layers should be created in order to allow flexibility in the application design and avoid hardcoding the FQDN of a resource.
Note: Make sure that you replace all <root_domain_name>
placeholders outlined in the conformity rule content with your own root domain name.
Audit
To determine if your Amazon Route 53 hosted zones contain Alias records that point to your load balancers, perform the following actions:
Using AWS Console
01 Sign in to your Trend Cloud One™ – Conformity account, accessCheck for Root Domain Alias Records that Point to Load Balancers conformity rule settings, and copy the root domain name configured for your application (e.g. <root_domain_name>
).
02 Sign in to the AWS Management Console.
03 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.
04 In the main navigation panel, under Dashboard, choose Hosted zones.
05 Click inside the Filter hosted zones by property or value box, select Domain name, paste the name of your root domain copied at step no. 1, and press Enter. If the filtering process is not returning any results, there is no Amazon Route 53 hosted zone created for your domain name, therefore the Audit process ends here. If the Amazon Route 53 console returns a public hosted zone for your domain name, continue the Audit process with the nest step.
06 Click on the domain name of the hosted zone returned by the Route 53 console.
07 In the Records section, perform the following operations:
- Select A from the Type dropdown menu to list all the A DNS records created for the selected hosted zone.
- Select Alias from the Alias dropdown menu to filter the existing results (i.e. A records) and list only the Alias records created for the selected hosted zone. If this filtering method is not returning any Alias records, there are no Alias records created for the root domain name of your application, therefore the Audit process ends here.
- Check the Alias record value available in the Value/Route traffic to column. If this value is not a fully qualified domain (FQDN) of an AWS Elastic Load Balancer, i.e. the value does not contain elb.amazonaws.com., the Alias record created for the selected root domain name is not routing traffic to a Classic, Application, or Network Load Balancer.
08 If required, repeat steps no. 6 and 7 for other hosted zones created within your AWS cloud account.
Using AWS CLI
01 Sign in to your Trend Cloud One™ – Conformity account, accessCheck for Root Domain Alias Records that Point to Load Balancers conformity rule settings, and copy the root domain name configured for your application (e.g. <root_domain_name>
).
02 Run list-hosted-zones command (OSX/Linux/UNIX) using the name of the domain copied at the previous step as the identifier parameter and custom query filters to get the ID of the Amazon Route 53 hosted zone created for the specified domain. Replace
aws route53 list-hosted-zones --query "HostedZones[?Name == '<root_domain_name>.'].Id"
03 The command request should return one of the following outputs:
- If the list-hosted-zones command output returns an empty array (i.e. []), as shown in the example below, there is no Amazon Route 53 hosted zone created for your root domain name, therefore the Audit process ends here:
[]
- If the command output returns the ID of the hosted zone associated with your root domain name, as shown in the output example below, continue the Audit with the next step:
[ "/hostedzone/ABCD1234ABCD1234ABCD" ]
04 Run list-resource-record-sets command (OSX/Linux/UNIX) using the ID of the Amazon Route 53 hosted zone returned at the previous step as the identifier parameter, to describe each Alias record created for the specified hosted zone:
aws route53 list-resource-record-sets --hosted-zone-id "/hostedzone/ABCD1234ABCD1234ABCD" --query 'ResourceRecordSets[?AliasTarget != null]'
05 The command output should return one of the following outputs:
- If the list-resource-record-sets command output returns an empty array (i.e. []), as shown in the example below, there are no DNS Alias records created for the root domain name associated with your application, therefore the Audit process ends here:
[]
- If the command output returns one or more Alias record sets, check the "DNSName" property value (highlighted). If the "DNSName" value is not a fully qualified domain (FQDN) of an AWS Elastic Load Balancer, i.e. the value does not contain elb.amazonaws.com., the Alias record created for the selected root domain name is not routing traffic to a Classic, Application, or Network Load Balancer:
[ { "Name": "app.trendmicro.com.", "Type": "A", "AliasTarget": { "HostedZoneId": "ABCD1234ABCD1234ABCD", "DNSName": "console.trendmicro.com.", "EvaluateTargetHealth": false } } ]
06 If required, repeat steps no. 4 and 5 for other hosted zones available in your AWS cloud account.
Remediation / Resolution
To configure Amazon Route 53 to route traffic to your AWS Elastic Load Balancer (Classic, Application, or Network Load Balancer), perform the following actions:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "ApplicationLoadBalancer": { "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Properties": { "Name": "cc-app-load-balancer", "Type": "application", "Scheme": "internet-facing", "IpAddressType": "ipv4", "Subnets": [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ], "SecurityGroups": [ "sg-0abcd1234abcd1234", "sg-01234abcd1234abcd" ] } }, "Route53HostedZone": { "Type": "AWS: : Route53: : HostedZone", "Properties": { "HostedZoneConfig": { "Comment": "Route53 public hosted zone for domain.com" }, "Name": "domain.com", "HostedZoneTags": [ { "Key": "Owner", "Value": "IT" } ] } }, "Route53Record": { "Type": "AWS::Route53::RecordSet", "Properties": { "HostedZoneName": { "Ref": "Route53HostedZone" }, "Name": "www.domain.com", "Type": "A", "TTL": "3600", "AliasTarget": { "DNSName": { "Fn::GetAtt": [ "ApplicationLoadBalancer", "DNSName" ] }, "EvaluateTargetHealth": false, "HostedZoneId": { "Fn::GetAtt": [ "ApplicationLoadBalancer", "CanonicalHostedZoneNameID" ] } } } } } }
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Resources: ApplicationLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: cc-app-load-balancer Type: application Scheme: internet-facing IpAddressType: ipv4 Subnets: - subnet-01234abcd1234abcd - subnet-0abcd1234abcd1234 SecurityGroups: - sg-0abcd1234abcd1234 - sg-01234abcd1234abcd Route53HostedZone: Type: 'AWS: : Route53: : HostedZone' Properties: HostedZoneConfig: Comment: Route53 public hosted zone for domain.com Name: domain.com HostedZoneTags: - Key: Owner Value: IT Route53Record: Type: AWS::Route53::RecordSet Properties: HostedZoneName: !Ref 'Route53HostedZone' Name: www.domain.com Type: A TTL: '3600' AliasTarget: DNSName: !GetAtt 'ApplicationLoadBalancer.DNSName' EvaluateTargetHealth: false HostedZoneId: !GetAtt 'ApplicationLoadBalancer.CanonicalHostedZoneNameID'
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.0" } } required_version = ">= 0.14.9" } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_lb" "application-load-balancer" { name = "cc-app-load-balancer" load_balancer_type = "application" internal = false ip_address_type = "ipv4" subnets = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"] security_groups = ["sg-0abcd1234abcd1234","sg-01234abcd1234abcd"] } resource "aws_route53_zone" "route53-hosted-zone" { name = "domain.com" comment = "Route53 public hosted zone for domain.com" tags = { Owner = "IT" } } resource "aws_route53_record" "route53-record" { zone_id = aws_route53_zone.route53-hosted-zone.zone_id name = "www.domain.com" type = "A" ttl = "3600" alias { name = aws_elb.application-load-balancer.dns_name zone_id = aws_elb.application-load-balancer.zone_id evaluate_target_health = false } }
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.
03 In the main navigation panel, under Dashboard, click Hosted zones.
04 Click on the domain name of the hosted zone that you want to reconfigure.
05 In the Records section, choose Create record to initiate the Alias DNS record setup process, then perform the following operations:
- For Record name, provide the root domain name (i.e. the domain name configured in the conformity rule settings).
- For Record type, select A – Routes traffic to an IPv4 address and some AWS resources.
- Toggle the Alias button to specify that you want the new record to be an Alias for an AWS resource.
- For Route traffic to, choose the type of the AWS resource that you want to route the traffic to.
- Select Alias to Application and Classic Load Balancer to route traffic to an Application Load Balancer (ALB) or Classic Load Balancer (CLB), or choose Alias to Network Load Balancer to route traffic to a Network Load Balancer (NLB).
- For Choose Region, select the AWS region where the target load balancer was provisioned.
- For Choose load balancer, select the fully qualified domain (FQDN) of the load balancer that you want to route traffic to.
- For Routing policy, choose the routing method appropriate for the new Alias record, based on your application requirements.
- For Evaluate target health, choose whether or not to evaluate the health of your new Alias record set.
- Choose Create records to add the new Alias record set to your Amazon Route 53 hosted zone.
06 If required, repeat steps no. 4 and 5 for other hosted zones created within your AWS cloud account.
Using AWS CLI
01 To create the required Alias record and add it to your DNS hosted zone, you must create first an Amazon Route 53 change file, declare the new Alias DNS record, and save the record definition to a JSON file named elb-alias-record.json. Replace <root-domain-name>
, <hosted-zone-id>
, and <target-resource-dns-name>
with your own details. The <target-resource-dns-name>
should be replaced with the fully qualified domain (FQDN) of the load balancer that you want to route traffic to (e.g. dualstack.web-load-balancer-123456789012.us-east-1.elb.amazonaws.com.):
{ "Comment": "Alias DNS record for <root-domain-name>.", "Changes": [ { "Action": "CREATE", "ResourceRecordSet": { "Name": "<root-domain-name>.", "Type": "A", "AliasTarget": { "HostedZoneId": "<hosted-zone-id>", "EvaluateTargetHealth": false, "DNSName": "<target-resource-dns-name>." } } } ] }
02 Run change-resource-record-sets command (OSX/Linux/UNIX) using the ID of hosted zone that you want to reconfigure as the identifier parameter and the Amazon Route 53 change file defined at the previous step (i.e. elb-alias-record.json) as command parameter, to add the Alias DNS record set, configured at the previous step, to the selected hosted zone:
aws route53 change-resource-record-sets --hosted-zone-id "/hostedzone/ABCD1234ABCD1234ABCD" --change-batch file://elb-alias-record.json
03 The command output should return the metadata for the new DNS record set (including the ID of the change file used – highlighted):
{ "ChangeInfo": { "Status": "PENDING", "Comment": "Alias DNS record for <root-domain-name>", "SubmittedAt": "2020-08-11T15:00:00.000Z", "Id": "/change/ABCDABCDABCDABCDABCD" } }
04 Run get-change command (OSX/Linux/UNIX) using the ID of the Route 53 change file returned at the previous step as the identifier parameter, to describe the status of the newly created record set:
aws route53 get-change --id "/change/ABCDABCDABCDABCDABCD"
05 The command output should return the current status of the DNS record batch request. The current status should be INSYNC, which indicates that the change was fully propagated to all Amazon Route 53 DNS server nodes:
{ "ChangeInfo": { "Status": "INSYNC", "Comment": "Alias DNS record for <root-domain-name>", "SubmittedAt": "2021-08-12T15:00:00.000Z", "Id": "/change/ABCDABCDABCDABCDABCD" } }
06 If required, repeat steps no. 1 – 5 for other hosted zones available in your AWS cloud account.
References
- AWS Documentation
- Amazon Route 53 FAQs
- Working with Public Hosted Zones
- Configuring Amazon Route 53 as Your DNS Service
- Routing Traffic to an ELB Load Balancer
- Values for Alias Records
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- route53
- list-hosted-zones
- list-resource-record-sets
- change-resource-record-sets
- get-change