Its in the documentation, https://aws.amazon.com/route53/faqs/#associate_multiple_ip_with_single_record
You need a single record with multiple values, also see here https://stackoverflow.com/questions/40841273/multiple-ip-addresses-for-resource-record-sets-of-route-53
Route53 (for DNS queries) has a 100% SLA. This doesn't hold for the control plan, which has occasional outages. But, as far as I'm aware, Route53 has not breached that SLA for query responses.
There are plenty of other factors I'd take into consideration for DNS before thinking about availability.
Have you considered moving all of your DNS to either Route52 or Azure DNS?
You'd have a more consistent management experience, and at least Azure DNS has an easy way to backup your zones through CLI.
You'd also be able to start automating the deployments of new domains.
https://aws.amazon.com/route53/ https://azure.microsoft.com/en-us/services/dns/
Just a pointer. The DNS entry is still managed by GoDaddy.
From their site:
>If you want to keep your domain name with the current registrar, inform the registrar to update the name servers for your domain to the ones associated with your hosted zone. If you’ve registered a domain name with Route 53, your domain name will be automatically associated with the correct name servers.
​
Do yourself a favor, skip GoDaddy. I'm sure others will chime in. Just no GoDaddy.
You pay for the number of DNS queries against the latency-based records
> Latency Based Routing Queries $0.600 per million queries – first 1 Billion queries / month $0.300 per million queries – over 1 Billion queries / month
I don't have good reference links handy, but the short story is that CNAME is technically invalid for "naked domains" / "apex domains". Look at all the big websites...they all begin with "www" and don't use the apex domain. There's a reason for that.
I believe the distributed nature of S3 complicates this further, and it simply isn't doable unless using Route53 as the authoritative DNS server and using an alias instead of a CNAME.
There might be further hindrances if you move to a CDN and/or https.
Personally I gave up and am just redirecting all my old links to "www" like all the big boy sites do.
Edit: I can't find a definitive answer on "why not", but here are a couple of links
> Amazon Route 53 offers a special type of record called an ‘Alias’ record that lets you map your zone apex (example.com) DNS name to your [...]
Edit 2: First edit cross-posted with OP's reply, but they seem to have their issue resolved.
There is now support (as of last fall i believe) for apex domain (mysite.com vs www.mysite.com) resolution via route53 and s3 static https://aws.amazon.com/route53/faqs, under DNS section. As for costs with rt3, you will pay the standard domain ownership fees to ICANN and a small fee to host the domain with aws per domain name, and then there is a scaled fee based on request volumes, but they aren't cost prohibitive. Check out https://calculator.s3.amazonaws.com/index.html for more info.
Its an RFC violation to have an SOA and a CNAME with the same record name. When you have a CNAME, you're not allowed to have any other records with that name.
That said.. There are cases with a special record type to do what you want (CNAME your zonename). In PowerDNS, its an ALIAS record. A quick glance at Amazon's R53 docs, says that its also ALIAS there (https://aws.amazon.com/route53/faqs/#which_dns_records_are_supported).
No. That's a terrible idea.
1) If you're using Route 53, ALIAS records should be used because this is exactly the use case that they're intended for, and queries to ALIAS records are free where CNAMEs are not (https://aws.amazon.com/route53/pricing/)
2) CNAME to the zone apex is an illegal implementation per the related RFCs and are generally not supported. Anything that supports this goes against the standard.
“DNS recon” is just using the DNS system to find information you want. Any DNS guide like https://aws.amazon.com/route53/what-is-dns/ will help you understand what DNS does do, and what it’s limitations are.
> I use DigitalOcean DNS
You're fine. Don't try to cook up your own solution, because DigitalOcean behind the scenes uses Cloudflare's DNS proxy (https://www.cloudflare.com/case-studies/digitalocean/) and you're not going to build a better solution than that on your own.
Yes, outages may occasionally happen, anywhere. If you need higher levels of availability perhaps put your zone on Route 53 (they offer an SLA of 100% for this service if I recall correctly).
>Not sure what prem deployment is,
It is on prem, meaning you are housing and maintaining the equipment
Doing this with cloud is pretty simple, Amazon AWS has route 53
https://aws.amazon.com/route53/
And MS Azure has Azure DNS
https://azure.microsoft.com/en-us/services/dns/
Both pretty much allow you to map multiple DNS entries with some kind of auto failure features.
Just FYI, Amazon's Route53 (part of AWS) is also a good registrar. $12/yr registration for most TLDs, free WHOIS privacy. You can use their hosted DNS service or point to your own, and they support IPv6 glue records and DNSSEC keys for external DNS providers.
I use Route53, part of Amazon's AWS suite. Pricing for domain registration is comparable to Google Domains. Route53 also provides free private registration on most domains, and they offer registration for more TLDs than Google does (or did, the last time I used Google Domains ~2 years ago).
>No SLAs though - you're stuffed if they have an outage.
Feels unlikely, but https://aws.amazon.com/route53/sla/ exists
>I use Neustar's UltraDNS service. I'm paying about AU$500 or so a month, for nearly 100 domains and 20M queries.
100 domains and 20M queries is $28 on AWS
>Interface is solid and easy to use. They have APIs that Infoblox work with, and offer seasonal upgrades for busy months.
Like most things AWS, it's API driven so you could setup your own if you need it, console is enough for day to day.
Be careful with that: an ENI is 0.125$ per hour and a resolver needs a minimum of 2 ENIs, which after 30 days is just 180$ for having it idle in your VPC.
You don’t need to transfer anything. You can keep the registration through namecheap, but point the nameserver records to Route53. The record values you need to enter in Namecheap will be there after you create the zone in Route53
No matter what you have to pay a registration fee for the domain. At minimum this is annually but if you purchased it for 2 years, you pay that cost every other year. I’m not sure how namecheap compares to Route53 for registration costs, but I’d bet namecheap is generally going to be cheaper.
As for monthly costs, Route53 is pretty cheap. Unless you’re doing something overly complicated like geo-routing or your sites blow up, you’d maybe spend $1 a month in Route53 costs. https://aws.amazon.com/route53/pricing/
There is a whole AWS calculator that may be helpful to you at calculator.aws
Namecheap is free to manage DNS records, but you lose the flexibility and ease of integration with AWS. Like if you wanted to have your site under SSL and you’re using an app load balancer (extra cost) or some other services in AWS, you can get free certificates and the setup time is just a couple minutes. Though you could achieve the same results using something like cloudflare.
Be careful with AWS services and billing. Set up billing alarms so if you start to reach your monthly limit you have a chance to turn things off (or adjust them) to save money. AWS support is pretty good at forgiving your first oops moment, but it’s not guaranteed.
Nope. You pay only for the registration of each year on Route53 domains. Changing contacts, name servers, etc doesn't cost you anything.
It's always worth on checking the pricing pages of the service: https://aws.amazon.com/route53/pricing/#Domain_Names
Under normal circumstances, it takes up to a minute for a change to be reflected in the DNS servers. My concern would be that you can't wait that long to ensure it's available at the client. And if the client checks too early then the NXDOMAIN response will be cached locally, so you can't expect to retry anytime soon.
Route53 offers per-zone access control and also has tags per domain which might also be available for access control. It'd cost about $6.04 / year.
I stopped on this question because it is a really good question, and I would like to know the definitive answer. That being said I am about to make assumptions.
I would never tell anyone to NOT backup. So if you want/need to backup IAM then using CloudFormation or Terraform are probably your best options (as mentioned throughout this post).
That being said, IAM is a global service that provides authentication and authorization for every region in the world. Let me make some assumptions about that point. If IAM, the service, goes down it most likely affects everyone in the world. Therefore it stands to reason (assumption?) that if your IAM needs to be re-installed/re-established/re-created that you will probably be creating just enough users to pack up your data and move it to another cloud provider. Because why would anyone want to use a cloud service that experiences such a catastrophic loss, amirite?
There is precedence for AWS providing a 100% uptime guarantee as it does with Route 53. Link: https://aws.amazon.com/route53/sla/
Although AWS does not specifically identify an SLA for IAM I am assuming it is also 100% based on how devastating a loss of service would be for such an important function.
guess depends on what part of the world you are in "AWS currently provides Domain Name Registration Services through Gandi SAS , Mesh Digital Limited, Amazon Registrar, Inc., and other ICANN-accredited registrars (the “Registrar”)," https://aws.amazon.com/route53/domain-registration-agreement/
Well then yeah you need to get with AWS on why it hasn't updated as of yet.
> Can elaborate on this "It's mostly just learning to interact with a VPS and a linux machine that you can only SSH into".
The most difficult part of a VPS for most people is that you have to use the terminal on linux. If you are okay with that then it'd be no big deal.
Look into Route 53. That's the solution to your DNS question.
Until relatively recently, I had very little working knowledge of DNS. Then I had to implement a new system feature which required non-trivial usage of DNS. I stumbled my way through designing and implementing the feature; although I'm far from an expert now, I was forced to gain enough of an understanding of the basics to build something functional. I did eventually manage to find some in-house DNS experts to review the design post-facto, but prior to that it was just a combination of googling, Stack Overflow, and trial-and-error.
For you, I would recommend defining what specifically your goals for "DNS skills" are and figuring out a way to exercise them in some kind of project, whether it's real or just for learning/practice. Although it's fundamental to practically all computer networks, DNS seems to be one of those niche technical subjects where there is rarely a focus on it as a separate subject unto itself, and I think the best way to learn is by seeing how it is applied in the context of a broader technical system.
Edit: I would recommend AWS Route53 as a good tool for learning about DNS - it makes it simple to play around with various types of records, including a UI for testing them.
Good article here
https://www.cbronline.com/news/aws-ddos-attack
AWS late yesterday was hit by a sustained DDoS attack, which appears to have lasted some eight hours. The incident hit its Route 53 DNS web offering, knocking down other services, and raises many questions about the nature of the attack and about AWS’s own DDoS mitigation service, “Shield Advanced”.
The attack on AWS left many customers struggling to access AWS’s S3 services, with many AWS services relying on external DNS queries, including its Relational Database Service (RDS), and Elastic Load Balancing (ELB). The US East Coast appears to have been particularly severely hit. (AWS described the impact of the attack as only affecting a “small number of specific DNS names”).
Hi there,. You have said you are watching costs, but DNS is very chatty. Are you using route 53 for DNS? If so it can be very very chatty. Have a look at https://aws.amazon.com/route53/pricing/
$0.40 per million looks small, until you realise that 8000 million is going to sting (even when you consider it is $0.20 per million after 1000 million).
Finally there is a limit of 10,000 records per domain, and there is a charge that is not disclosed. "An additional charge applies for a hosted zone that contains more than 10,000 records. Need more than 500 hosted zones or more than 10,000 records in a hosted zone? Please contact us."
Upping that limit seems possible.
Set some alarms. Keep an eye on it.
There is actually a cost associated with DNS queries on Route 53. $0.400 per million queries – first 1 Billion queries / month.
See https://aws.amazon.com/route53/pricing/
Tags on IAM resources are a much cheaper solution.
If you're more of a developer type person, I can recommend Amazon Route 53 (an Amazon Web Services [AWS] component) for domain availability lookup and registration.
Note that this service probably isn't very accessible if you're not comfortable with web administration.
If you are using R53, there are fees for DNS queries depending how you configured hosted zone. Not too much, but something to consider while optimizing costs.
https://aws.amazon.com/route53/pricing/#Alias_Queries
​
I think your best bet is LightSail if not heavily used website or go with S3 if the pages are static. Good luck!
I did something similar, except I was hosting my site on S3 buckets. The steps I had to follow were:
Takes a couple of hours for everything to update. but it's pretty straightforward.
It's peanuts, but AWS charges for CNAME lookups (albeit, a VERY small amount), whereas they don't for ALIAS records: https://aws.amazon.com/route53/pricing/
ALIAS records should be used when pointing to a record to a load balancer, cloud front distribution, S3 bucket, etc. I've seen lots of scenarios where people will create a CNAME to their load balancer's DNS name, instead of using the ALIAS. The lookup would still return the same value (public IP), but it would be free with an Alias and charged via a CNAME.
IIRC, while technically they act the same, billing-wise, they don't. I think you get ding'd for your CNAME, but an alias lookup is free. (Not a huge deal becuase Route53 is a pretty cheap service to begin with) Here's the pricing page for Route53: https://aws.amazon.com/route53/pricing/
https://aws.amazon.com/route53/sla/
Yes, you won't be reimbursed a lot, but so far there has never been a Route53 outage (only once there was an issue with creating new records via the API for an hour or so, but that's not exactly production impacting).
ok, let's see. In a setup like that, you can't just have a DNS server of your own. You have to register it with the company wide network setup. So let's think of another solution - which could have the same outcome.
Maybe you could register a free Amazon Web Services (AWS) account, enter the Route 53 DNS and domain service, and register a new domain - something like yourproject.io
. This domain costs money, but only a few bucks per year, so it's really cheap.
Then you start your http server with hostname and port (yourproject.io, 80)
. The port is important, because anything that differs from 80 has to be specified in the client's browser. So now, the only thing people have to enter in their browser is yourproject.io
. The IP of your server is the one you enter with the hostname in Route53, so the lookup ends with your computer.
This incorporates no mingling with the central administration team, but costs like $ 10 per year.
WDYT?
DISCLAIMER I'm pretty sure the central administration does not want or allow custom servers to be run on desktop machines. Additionally, this violates several compliance checks, as for data privacy and data security.
What kind of traffic are you working with right now when it comes to your web server?
What are you expecting in the future?
>I know enough to keep a server online, secure, and advertised to the Public via DNS and a hole in the firewall, and filtered through a security appliance.
I hope said web server is not on your internal network (even if its going through a security appliance). That system should be in a DMZ
>Currently running on a 2012R2 VM, with MySQL (On same box - Yeah, I need to separate those). 1 public IP addresses. F5 Appliance.
So as you said, the first step would to separate those. After you do that, then based on your web app you can look into configuring load balancing to spread the web request across several web servers. Check out your F5 appliance to see what it supports for load balancing. Make sure you have some kind of redundancy with the MySQL server so if it fails your environment will still function.
Another option you can look into is maybe utilizing something like AWS route 53 (it supports on premises) however you wont get the full ability to do any kind of auto scaling unless your hosting in AWS
https://aws.amazon.com/route53/
Or depending on your web application AWS cloudfront
https://aws.amazon.com/cloudfront/
The bottom line is how much money, time, and the equipment you have to put into this. If this is a situation where if your site is down and your company is going to lose money because its down then dont skimp on the budget.