Ensure there are no public Amazon Route 53 hosted zones that contain DNS records for private IPs/resources within your AWS account in order to avoid leaking information about your internal (private) network and the resources hosted on it, and to optimize Route 53 service costs. The most common use case for using private IP records in a public hosted zones is when users are implementing the split-view DNS method, where a private and a public DNS record is created to manage internal and external versions of the same website or application. Trend Cloud One™ – Conformity strongly recommends using a private hosted zone to define your private DNS records which can be used in combination with a public hosted zone to implement split-view DNS for your applications. A private Amazon Route 53 hosted zone will resolve any internal DNS queries (coming from within the associated VPC network) without exposing DNS data to the public Internet. From the cost optimization perspective, since all Route 53 DNS queries are charged, using a private hosted zone will also reduce the DNS service costs by using conditional forwarders within your VPC. Conditional forwarders can be implemented through a DNS server that will allow you to cache the DNS responses from Amazon name servers, thus reduce the number of queries within your internal network.
optimisation
Defining private DNS records within your public Amazon Route 53 hosted zone is considered bad practice and does provide useful information such as the IP addresses for specific internal resources and their internal subnet scheme to malicious users which can use this information to gain access to your resources through social engineering hacks. In contrast, public Amazon Route 53 hosted zones will safeguard against any malicious scanners that are trying to learn your internal IP address, scheme or network. With private hosted zones you will also reduce the Route 53 service costs by querying less the AWS name servers (DNS response caching).
Audit
To determine if your public Route 53 hosted zones contain private DNS records, perform the following actions:
Remediation / Resolution
To reduce your Amazon Route 53 service costs and adhere to security best practices by using private DNS records outside of your public hosted zones, you can create and configure an Amazon Route 53 Private Hosted Zone to manage private IPs within your Virtual Private Cloud (VPC) as Route 53 service will only return your private DNS records when queried from within the associated VPC. Keeping your private hosted zone separated from your public zone will also prevent the Internet from making unnecessary queries to your hosted zone private DNS records (using conditional forwarders), providing you with the opportunity to save costs. To create an Amazon Route 53 Private Hosted Zone and define the necessary private DNS records, perform the following actions:
References
- AWS Documentation
- Amazon Route 53 FAQs
- What is Amazon Route 53?
- Working with public hosted zones
- Working with records
- Supported DNS record types
- Creating a private hosted zone
- Working with private hosted zones
- AWS Command Line Interface (CLI) Documentation
- route53
- list-hosted-zones
- list-resource-record-sets
- create-hosted-zone
- get-hosted-zone
- change-resource-record-sets
- get-change