Open menu
-->

Create DNS Alias Record for Root Domain

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that a DNS alias record for the root domain name is created within your Amazon Route 53 hosted zone. An alias record is a special DNS record type that allows you to create an A record for the root domain and point it to the fully qualified domain name (FQDN) of an Elastic Load Balancer (ELB) or an Amazon Cloudfront distribution. Prior to running this rule by the Cloud Conformity engine, your root domain name needs to be configured in the rule settings, on your Cloud Conformity account dashboard.

This rule resolution is part of the Cloud Conformity Base Auditing Package

Alias records provide a Route 53–specific extension to DNS functionality and can save you time as the Route 53 service automatically recognizes changes in the records that the alias record refers to. For example, suppose an alias record for cloudconformity.com domain points to a load balancer at cc-prod-elb.us-east-1.elb.amazonaws.com. If the IP address of the ELB changes, AWS Route 53 will automatically reflect those changes in DNS responses for cloudconformity.com without any changes to the hosted zone that contains the DNS records for the root domain. To point the root domain to an Elastic Load Balancer or to a Cloudfront CDN distribution, an alias resource record set should be created. Note: Ensure that you replace all <root_domain_name> placeholders found in the conformity rule content with your own root domain name.

Audit

To determine if there is a DNS alias record set for the root domain within your AWS Route 53 hosted zone, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create DNS Alias Record for Root Domain conformity rule settings and copy the root domain name configured for your web application (e.g. <root_domain_name>).

02 Sign in to the AWS Management Console.

03 Navigate to Route 53 dashboard at https://console.aws.amazon.com/route53/.

04 In the left navigation panel, under Dashboard, click Hosted Zones.

05 Select Public Hosted Zones from the dropdown list available under the dashboard top menu to list all your public hosted zones.

06 Paste the name of your root domain copied at step no. 1 inside the Search all fields box and press Enter. If the search process does not return any results, there is no AWS Route 53 hosted zone created for the domain name used by your web application, therefore the audit process ends here. To create and configure a Route 53 hosted zone for your root domain, follow the steps described in this conformity rule. If the search process returns a public hosted zone file for your root domain name continue the audit with the nest step.

07 Select the hosted zone returned then click Go to Records Sets button to access the zone DNS records.

08 On the DNS Public Hosted Zone page, select A from the Record Type dropdown list to list all the A records within the selected hosted zone.

09 Select Aliases Only checkbox to filter the existing results (i.e. A records) and list only the DNS alias records available within the selected hosted zone. If the filtering process does not return any alias records, there are no DNS alias records created for the root domain name of your web application.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create DNS Alias Record for Root Domain conformity rule settings and copy the root domain name configured for your web application (e.g. <root_domain_name>).

02 Run list-hosted-zones command (OSX/Linux/UNIX) using the name of the domain copied at the previous step as identifier and custom query filters to get the ID of the AWS Route 53 hosted zone created for your root domain. Replace <root_domain_name> with your own root domain name:

aws route53 list-hosted-zones
	--query "HostedZones[?Name == '<root_domain_name>.'].Id"

03 The command request should return one of the following outputs:

  1. If the list-hosted-zones command output returns an empty array (i.e. []), as shown in the example below, there is no Route 53 hosted zone created for your root domain name, therefore the audit process ends here. To create and configure a Route 53 hosted zone for your root domain, follow the steps outlined in this conformity rule:
    []
    
  2. If the command output returns the ID of the hosted zone created for your root domain name, as shown in the example below, continue the audit with the nest step:
    [
        "/hostedzone/AAAABBBBCCCCDD"
    ]
    

04 Run list-resource-record-sets command (OSX/Linux/UNIX) using the ID of the Route 53 hosted zone returned at the previous step to list the metadata for each DNS alias record set created within the selected hosted zone:

aws route53 list-resource-record-sets
	--hosted-zone-id AAAABBBBCCCCDD
	--query 'ResourceRecordSets[?AliasTarget != null]'

05 The command output should return the metadata of the alias record set for the root domain name (if any):

[]

If the list-hosted-zones command output returns an empty array (i.e. []), as shown in the example above, there are no DNS alias records created for the root domain name associated with your web application.

Remediation / Resolution

To create and configure an AWS Route 53 DNS alias record for your root domain name, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Route 53 dashboard at https://console.aws.amazon.com/route53/.

03 In the left navigation panel, under Dashboard, click Hosted Zones.

04 Select the public hosted zone that you want to reconfigure (see Audit section part I to identify the right zone) then click Go to Records Sets button to access the hosted zone record sets.

05 Click Create Record Set button from the dashboard top menu to initiate the DNS alias record setup and perform the following actions:

  1. In the Name box, provide the name of the root domain set for your web application (configured within the conformity rule settings).
  2. From the Type dropdown list select A – Ipv4 address as the record set type.
  3. Select Yes next to Alias to specify that you want the new record to be an alias for an AWS resources such as an ELB or a Cloudfront distribution.
  4. Click inside the Alias Target box and select the fully qualified domain name (FQDN) of the target resource. The target resource can be an ELB (e.g. cc-prod-elb.us-east-1.elb.amazonaws.com), a Cloudfront web distribution (e.g. aaaabbbb123456.cloudfront.net), etc.
  5. From the Routing Policy dropdown list, select the routing method for the new DNS alias record, based on your application requirements.
  6. For Evaluate Target Health, select Yes or No to specify whether you want AWS Route 53 to check the health of the DNS record set.
  7. Click Create to add the new alias record to the selected hosted zone.
  8. (Optional) If required, repeat steps a - g to add new DNS alias records.

Using AWS CLI

01 To create the required DNS alias record, you need to create first an Amazon Route 53 change file (i.e. a JSON file that represents the alias record that you want to add to the hosted zone). Paste the following JSON document into a file named root-domain-alias-record.json and replace <root_domain_name>, <hosted_zone_id> and <target_resource_dns_name> with your own details:

{
  "Comment": "DNS Alias record for <root_domain_name>.",
  "Changes": [
    {
      "Action": "CREATE",
      "ResourceRecordSet": {
        "Name": "<root_domain_name>.",
        "Type": "A",
        "AliasTarget": {
            "HostedZoneId": "<hosted_zone_id>",
            "EvaluateTargetHealth": false,
            "DNSName": "<target_resource_dns_name>."
        }
      }
    }
  ]
}

02 Run change-resource-record-sets command (OSX/Linux/UNIX) using the ID of hosted zone that you want to reconfigure (see Audit section part II to identify the right zone) and the Route 53 change file created at the previous step (i.e. root-domain-alias-record.json) as command parameters to add a new DNS alias record set to the selected Route 53 hosted zone:

aws route53 change-resource-record-sets
	--hosted-zone-id AAAABBBBCCCCDD
	--change-batch file://root-domain-alias-record.json

03 The command output should return the new alias record set metadata. The record set status should be PENDING at this moment:

{
    "ChangeInfo": {
        "Status": "PENDING",
        "Comment": "DNS Alias record for <root_domain_name>.",
        "SubmittedAt": "2018-04-14T12:37:29.642Z",
        "Id": "/change/AABBCC12345678"
    }
}

04 Run get-change command (OSX/Linux/UNIX) using the AWS Route 53 change file ID returned at the previous step as parameter to get the current status for the newly create alias record set:

aws route53 get-change 
	--id AABBCC12345678

05 The command output should return the current status of the alias record batch request. The current status should be INSYNC, which indicates that the change was fully propagated to all AWS Route 53 DNS server nodes:

{
  "ChangeInfo": {
    "Status": "INSYNC",
    "Comment": "DNS Alias record for <root_domain_name>.",
    "SubmittedAt": "2018-04-14T12:37:29.642Z",
    "Id": "/change/AABBCC12345678"
  }					
}

06 (Optional) If required, repeat steps no. 1 – 5 to add new DNS alias records.

References

Publication date Apr 18, 2018