Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Route 53 Public Zones with Private Records

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure there are no public Amazon Route 53 hosted zones that contain DNS records for private IPs/resources within your AWS account in order to avoid leaking information about your internal (private) network and the resources hosted on it, and to optimize Route 53 service costs. The most common use case for using private IP records in a public hosted zones is when users are implementing the split-view DNS method, where a private and a public DNS record is created to manage internal and external versions of the same website or application. Trend Cloud One™ – Conformity strongly recommends using a private hosted zone to define your private DNS records which can be used in combination with a public hosted zone to implement split-view DNS for your applications. A private Amazon Route 53 hosted zone will resolve any internal DNS queries (coming from within the associated VPC network) without exposing DNS data to the public Internet. From the cost optimization perspective, since all Route 53 DNS queries are charged, using a private hosted zone will also reduce the DNS service costs by using conditional forwarders within your VPC. Conditional forwarders can be implemented through a DNS server that will allow you to cache the DNS responses from Amazon name servers, thus reduce the number of queries within your internal network.

Security
Cost
optimisation

Defining private DNS records within your public Amazon Route 53 hosted zone is considered bad practice and does provide useful information such as the IP addresses for specific internal resources and their internal subnet scheme to malicious users which can use this information to gain access to your resources through social engineering hacks. In contrast, public Amazon Route 53 hosted zones will safeguard against any malicious scanners that are trying to learn your internal IP address, scheme or network. With private hosted zones you will also reduce the Route 53 service costs by querying less the AWS name servers (DNS response caching).


Audit

To determine if your public Route 53 hosted zones contain private DNS records, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the main navigation panel, under Dashboard, choose Hosted zones.

04 Click inside the Filter hosted zones by property or value box, select Type, type Public and press Enter, to return the list with the public hosted zones created within your AWS cloud account.

05 Click on the domain name of the public hosted zone that you want to examine.

06 In the Records section, select A from the Type dropdown list to list all the A (Address) records created for the selected hosted zone, then check the Value/Route traffic to column for any private IP addresses assigned to the available A records. If one or more A records route traffic to private IPs such as 172.31.49.26 and 10.0.0.5, the selected Amazon Route 53 Public Hosted Zone contains DNS records configured for private IPs.

07 Repeat steps no. 5 and 6 for each public hosted zone available within your AWS cloud account.

Using AWS CLI

01 Run list-hosted-zones command (OSX/Linux/UNIX) to list the ID of each Amazon Route 53 hosted zone created in your AWS cloud account:

aws route53 list-hosted-zones
  --query "HostedZones[*].Id"

02 The command output should return an array with the requested hosted zone IDs:

[
	"/hostedzone/ABCD1234ABCD1234ABCD",
	"/hostedzone/ABCDABCD1234ABCDABCD"
]

03 Run get-hosted-zone command (OSX/Linux/UNIX) using the ID of the DNS hosted zone that you want to examine as the identifier parameter and custom query filters to determine if the selected hosted zone is public or private:

aws route53 get-hosted-zone
  --id /hostedzone/ABCD1234ABCD1234ABCD
  --query "HostedZone.Config.PrivateZone"

04 The command output should return the requested configuration information (false for public, true for private). If the get-hosted-zone command output returns true, the Audit process ends here, otherwise you can continue the Audit process with the next step:

false

05 Run list-resource-record-sets command (OSX/Linux/UNIX) using the ID of the public hosted zone that you want to examine as the identifier parameter and custom filtering to list the A (Address) records created for the selected hosted zone:

aws route53 list-resource-record-sets
  --hosted-zone-id "/hostedzone/ABCD1234ABCD1234ABCD"
  --query "ResourceRecordSets[?Type == 'A']"

06 The command output should return an array with all the A DNS record sets created for the specified public hosted zone:

[
	{
		"Name": "example.com.",
		"Type": "A",
		"TTL": 86400,
		"ResourceRecords": [
			{
				"Value": "54.83.105.172"
			}
		]
	},
	{
		"Name": "blog.example.com.",
		"Type": "A",
		"TTL": 86400,
		"ResourceRecords": [
			{
				"Value": "172.31.49.26"
			}
		]
	},
	{
		"Name": "dev.example.com.",
		"Type": "A",
		"TTL": 86400,
		"ResourceRecords": [
			{
				"Value": "10.0.0.5"
			}
		]
	}
]

Check the "Value" property value (highlighted) returned for each A DNS record. If one or more A records have private IPs for their values, as shown in the output example above (e.g. 172.31.49.26 and 10.0.0.5), the selected Amazon Route 53 Public Hosted Zone contains DNS records configured for private IP addresses.

07 Repeat steps no. 5 and 6 for each public hosted zone created in your AWS cloud account.

Remediation / Resolution

To reduce your Amazon Route 53 service costs and adhere to security best practices by using private DNS records outside of your public hosted zones, you can create and configure an Amazon Route 53 Private Hosted Zone to manage private IPs within your Virtual Private Cloud (VPC) as Route 53 service will only return your private DNS records when queried from within the associated VPC. Keeping your private hosted zone separated from your public zone will also prevent the Internet from making unnecessary queries to your hosted zone private DNS records (using conditional forwarders), providing you with the opportunity to save costs. To create an Amazon Route 53 Private Hosted Zone and define the necessary private DNS records, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"Route53HostedZone": {
			"Type": "AWS::Route53::HostedZone",
			"Properties": {
				"HostedZoneConfig": {
					"Comment": "Route53 private DNS hosted zone for domain.com"
				},
				"Name": "domain.com",
				"HostedZoneTags": [
					{
						"Key": "Owner",
						"Value": "IT"
					}
				],
				"VPCs": [
					{
						"VPCId": "vpc-01234abcd1234abcd",
						"VPCRegion": "us-east-1"
					}
				]
			}
		},
		"Route53Record": {
			"Type": "AWS::Route53::RecordSet",
			"Properties": {
				"HostedZoneName": {
					"Ref": "Route53HostedZone"
				},
				"Name": "dev.domain.com",
				"Type": "A",
				"TTL": "86400",
				"ResourceRecords": [
					{
						"Value": "10.0.0.5"
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	Route53HostedZone:
		Type: AWS::Route53::HostedZone
		Properties:
		HostedZoneConfig:
			Comment: Route53 private DNS hosted zone for domain.com
		Name: domain.com
		HostedZoneTags:
			- Key: Owner
			Value: IT
		VPCs:
			- VPCId: vpc-01234abcd1234abcd
			VPCRegion: us-east-1
	Route53Record:
		Type: AWS::Route53::RecordSet
		Properties:
		HostedZoneName: !Ref 'Route53HostedZone'
		Name: dev.domain.com
		Type: A
		TTL: '86400'
		ResourceRecords:
			- Value: 10.0.0.5

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_vpc" "vpc-network" {
	cidr_block           = "10.0.0.0/16"
	enable_dns_hostnames = true
	enable_dns_support   = true
	instance_tenancy     = "default"  
}

resource "aws_route53_zone" "route53-hosted-zone" {
	name    = "domain.com"
	comment = "Route53 private DNS hosted zone for domain.com"
	tags    = {
		Owner = "IT"
	}
	vpc {
		vpc_id = aws_vpc.vpc-network.id
	}
}

resource "aws_route53_record" "route53-record" {
	zone_id = aws_route53_zone.route53-hosted-zone.zone_id
	name    = "dev.domain.com"
	type    = "A"
	ttl     = "86400"
	records = "10.0.0.5"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the main navigation panel, under Dashboard, choose Hosted zones.

04 Choose Create hosted zone from the console top menu to initiate the private zone setup:

  1. For Domain name, provide the domain name that you want to manage with your new private DNS hosted zone.
  2. (Optional) For Description - optional, enter a short description for the new hosted zone.
  3. For Type, choose Private hosted zone to route traffic to a VPC network.
  4. Select Private Hosted Zone for Amazon VPC from the Type dropdown list.
  5. In the VPCs to associate with the hosted zone section, choose the AWS region and the VPC network that you want to associate with your new private hosted zone. Choose Add VPC to save the VPC configuration. Note: In order to use the specified VPC, the VPC network must have the following configuration attributes set to true: enableDnsHostnames and enableDnsSupport.
  6. (Optional) For Tags, use the Add tag button to apply tags to the new hosted zone for better organization and identification within your AWS cloud account.
  7. Choose Create hosted zoneto create your new Amazon Route 53 Private Hosted Zone.

05 To add the necessary private DNS records, open the newly created hosted zone, select the Records tab, choose Create record, and perform the following commands:

  1. For Record name, enter the name of the DNS record that you want to create. To route traffic for the name of the domain, such as example.com, leave the Record name field blank. The default value is the name of the hosted zone.
  2. For Record type, select the record set type (e.g. A, AAAA).
  3. For Value, enter the value required by the selected record type (in this case a private IP address).
  4. For TTL (seconds), select a Time to Live (TTL) value in seconds.
  5. For Routing policy dropdown list, choose how Amazon Route 53 routes traffic to your resources.
  6. (Optional) Choose Add another record and repeat steps no. a – e for each DNS record that you want to create.
  7. Choose Create records to add the new record(s) to your private hosted zone.

06 Repeat steps no. 4 and 5 to create and configure additional private hosted zones within your AWS cloud account.

Using AWS CLI

01 Run create-hosted-zone command (OSX/Linux/UNIX) to create a new Amazon Route 53 Private Hosted Zone. The following command request example creates a private hosted zone for a domain name called "example.com" and associate the DNS zone with a VPC identified by the ID "vpc-abcd1234", available within the US East region:

aws route53 create-hosted-zone
  --name example.com
  --caller-reference 2021-11-10-17:35
  --hosted-zone-config Comment="Private DNS hosted zone for example.com",PrivateZone=true
  --vpc VPCRegion="us-east-1",VPCId="vpc-abcd1234"
  --query "HostedZone.Id"

02 The command output should return the ID of the new private hosted zone:

"/hostedzone/ABCDABCDABCDABCDABCD"

03 To add the necessary private DNS records to your new private hosted zone, you must create an Amazon Route 53 change file, declare the new record set, and save the record definition to a JSON file named private-dns-record-set.json. The following command request example describes a private A DNS record (dev.example.com) that routes traffic to a private IP address (e.g. 10.0.0.5):

{
	"Comment": "Private A record for example.com hosted zone",
	"Changes": [
		{
			"Action": "CREATE",
			"ResourceRecordSet": {
				"Name": "dev.example.com.",
				"Type": "A",
				"TTL": 86400,
				"ResourceRecords": [
					{
						"Value": "10.0.0.5"
					}
				]
			}
		}
	]
}

04 Run change-resource-record-sets command (OSX/Linux/UNIX) using the ID of the private hosted zone that you want to configure, listed at step no. 2, and the Amazon Route 53 change file created at the previous step (i.e. private-dns-record-set.json) as command parameters to add the new private DNS record to the selected hosted zone:

aws route53 change-resource-record-sets
  --hosted-zone-id "/hostedzone/ABCDABCDABCDABCDABCD"
  --change-batch file://private-dns-record-set.json

05 The command output should return the metadata for the new DNS record set:

{
	"ChangeInfo": {
		"Status": "PENDING",
		"Comment": "Private A record for example.com hosted zone",
		"SubmittedAt": "2021-11-10T17:49:59.642Z",
		"Id": "/change/1234ABCDABCDABCD1234"
	}
}

06 Run get-change command (OSX/Linux/UNIX) using the ID of the Amazon Route 53 change file returned at the previous step as the identifier parameter, to describe the status of the newly created record set:

aws route53 get-change
  --id "/change/1234ABCDABCDABCD1234"

07 The command output should return the current status of the DNS record request. The current status should be INSYNC, which indicates that the change was fully propagated to all Amazon Route 53 DNS server nodes:

{
	"ChangeInfo": {
		"Status": "INSYNC",
		"Comment": "Private A record for example.com hosted zone",
		"SubmittedAt": "2021-11-10T17:49:59.642Z",
		"Id": "/change/1234ABCDABCDABCD1234"
	}
}

08 Repeat steps no. 1 – 7 to create and configure additional private hosted zones within your AWS cloud account.

References

Publication date Jun 12, 2017