Open menu
-->

Public Zone with Private Records

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security
Cost
optimisation

Risk level: Medium (should be achieved)

Ensure there are no AWS Route 53 Public Hosted Zones that contain DNS records for private IPs/resources within your AWS account in order to avoid leaking information about your internal (private) network and the resources hosted on it, and to optimize the Route 53 service costs. The most common use case for using private IP records in a Route 53 Public Hosted Zone is when users are implementing the split-view DNS method, where a private and a public DNS record is created to manage internal and external versions of the same website or application. Cloud Conformity strongly recommends using a Route 53 Private Hosted Zone to define your private DNS records which can be used in combination with a Public Hosted Zone to implement split-view DNS for your applications. An AWS Route 53 Private Hosted Zone will resolve any internal DNS queries (coming from within the associated VPC network) without exposing DNS data to the public Internet. From the cost optimisation perspective, since all Route 53 DNS queries are charged, using a Private Hosted Zone will also reduce the DNS service costs by using conditional forwarders within your VPC. Conditional forwarders can be implemented through a DNS server that will allow you to cache the DNS responses from Amazon name servers, thus reduce the number of queries within your internal network.

This rule resolution is part of the Cloud Conformity Security Package

Defining private DNS records within your Route 53 Public Hosted Zones is considered bad practice and does provide useful information such as the IP addresses for specific internal resources and their internal subnet scheme to malicious users which can use this information to gain access to your resources through social engineering hacks. In contrast, AWS Route 53 Private Hosted Zones will safeguard against any malicious scanners that are trying to learn your internal IP address, scheme or network. With Private Hosted Zones you will be also reducing the Route 53 service costs by querying less the AWS name servers (DNS response caching).

Audit

To determine if your Route 53 Public Hosted Zones contain private DNS records, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Route 53 dashboard at https://console.aws.amazon.com/route53/.

03 In the left navigation panel, under Dashboard, click Hosted Zones.

04 Select Public Hosted Zones from the dropdown list available under the dashboard top menu to list all your Route 53 Public Hosted Zones.

05 Select the Public Hosted Zone that you want to examine then click on the Go to Records Sets button to access its DNS records.

06 On the DNS Public Hosted Zone page, select A from the Record Type dropdown list to list all the A (Address) records within the selected hosted zone then check the Value column for any private IPs assigned to the listed DNS records. If one or more A records point to private IP(s) (e.g. 172.31.49.26), the selected Amazon Route 53 Public Hosted Zone contains DNS records for private IPs/resources.

07 Repeat step no. 5 and 6 to inspect other Route 53 Public DNS Hosted Zones for private DNS records.

Using AWS CLI

01 Run list-hosted-zones command (OSX/Linux/UNIX) to retrieve a list with all the DNS hosted zones associated with your AWS account:

aws route53 list-hosted-zones

02 The command output should return an array with all the DNS zones available and their metadata (including the type of the hosted zone – public or private and each hosted zone ID - highlighted):

{
    "HostedZones": [
        {
            "ResourceRecordSetCount": 7,
            "CallerReference": "FE8C605A-68F4-D107-53C1-052549DBB41C",
            "Config": {
                "PrivateZone": false
            },
            "Id": "/hostedzone/Z394I4MU0LFDVL",
            "Name": "cloudconformity.com."
        }
    ]
}

03 Run list-resource-record-sets command (OSX/Linux/UNIX) using the ID of the Public Hosted Zone returned at the previous step to list all DNS A records created within the selected hosted zone:

aws route53 list-resource-record-sets
	--hosted-zone-id Z394I4MU0LFDVL
	--query "ResourceRecordSets[?Type == 'A']"

04 The command output should return an array that contains all A record sets available within the specified hosted zone and their metadata:

[
    {
        "ResourceRecords": [
            {
                "Value": "54.110.206.34"
            }
        ],
        "Type": "A",
        "Name": "cloudconformity.com.",
        "TTL": 86400
    },
    {
        "ResourceRecords": [
            {
                "Value": "34.187.11.203"
            }
        ],
        "Type": "A",
        "Name": "dev.cloudconformity.com.",
        "TTL": 86400
    },
    {
        "ResourceRecords": [
            {
                "Value": "172.31.49.138"
            }
        ],
        "Type": "A",
        "Name": "internal-staging.cloudconformity.com.",
        "TTL": 86400
    },
    {
        "ResourceRecords": [
            {
                "Value": "34.201.126.246"
            }
        ],
        "Type": "A",
        "Name": "staging.cloudconformity.com.",
        "TTL": 86400
    }
]

Check the Value attributes for any private IPs assigned to the returned DNS records. If one or more A records have private IPs as their values (as shown in the output example above, i.e. 172.31.49.138), the selected Amazon Route 53 Public Hosted Zone contains private DNS records.

05 Repeat step no. 3 and 4 to inspect other Route 53 Public DNS Hosted Zones, provisioned in your AWS account, for private DNS records.

Remediation / Resolution

To reduce your Amazon Route 53 service costs and adhere to security best practices by using private DNS records outside of your AWS Route 53 Public Hosted Zones, you can create and configure a Private Hosted Zone to manage private IPs within your Virtual Private Cloud (VPC) as Amazon Route 53 service will only return your private DNS records when queried from within the associated VPC. Keeping your Private Hosted Zone separated from your Public Hosted Zone will also prevent the Internet from making unnecessary queries to your hosted zone private DNS records (using conditional forwarders), providing you with the opportunity to save costs. To create a Route 53 Private Hosted Zone and define the necessary private DNS records, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Route 53 dashboard at https://console.aws.amazon.com/route53/.

03 In the left navigation panel, under Dashboard, click Hosted Zones.

04 Click Create Hosted Zones button from the AWS dashboard top menu.

05 In the Create Hosted Zone right panel, enter the following information:

  1. In the Domain Name field, enter the domain name (e.g. cloudconformity.com) that you want to manage with your new private DNS hosted zone.
  2. (Optional) In the Comment field, enter a description for the DNS zone.
  3. Select Private Hosted Zone for Amazon VPC from the Type dropdown list.
  4. Choose a VPC to associate with the new Private Hosted Zone from the VPC ID dropdown list. Note that in order to use the selected VPC, the VPC must have the following configuration attributes set to true: enableDnsHostnames and enableDnsSupport.

06 On your newly created hosted zone page, add the necessary private DNS records. To create your private DNS records using the AWS Route 53 Console, perform the following actions:

  1. Click Create Record Set button from the dashboard top menu.
  2. In the Name field, enter the record name of the DNS record that you want to create.
  3. From the Type dropdown list select the record set type (e.g. A, AAAA).
  4. In the TTL (Seconds) field, enter a Time to Live value in seconds.
  5. In the Value text box, enter the value required by the selected record type (in this case a private IP address).
  6. From the Routing Policy dropdown list, select the routing method for the current DNS record.
  7. Click Create to add the new record to the hosted zone.
  8. (Optional) To add new private DNS records repeat steps a - g.

07 Repeat steps no. 4 – 6 to provision and configure additional Route 53 Private Hosted Zones within your AWS account.

Using AWS CLI

01 Run create-hosted-zone command (OSX/Linux/UNIX) to create a new AWS Route 53 Private Hosted Zone. The following command example creates a private DNS hosted zone for a domain name called cloudconformity.com and associate it with an AWS VPC identified by the ID vpc-3fa56947, available within the US East region:

aws route53 create-hosted-zone
	--name cloudconformity.com
	--caller-reference 2017-06-13-17:34
	--hosted-zone-config Comment="Private DNS hosted zone for cloudconformity.com",PrivateZone=true
	--vpc VPCRegion="us-east-1",VPCId="vpc-3fa56947"

02 The command output should return the new hosted zone metadata (including the zone ID - highlighted):

{
    "ChangeInfo": {
        "Status": "PENDING",
        "SubmittedAt": "2017-06-13T17:34:22.159Z",
        "Id": "/change/CN24KFSPFXZUT"
    },
    "HostedZone": {
        "ResourceRecordSetCount": 2,
        "CallerReference": "2017-06-13-17:34",
        "Config": {
            "Comment": "Private DNS hosted zone for cloudconformity.com",
            "PrivateZone": true
        },
        "Id": "/hostedzone/ZXDHZIVJ9NXZ0",
        "Name": "cloudconformity.com."
    },
    "Location": "https://route53.amazonaws.com/2013-04-01/hostedzone/ZXDHZIVJ9NXZ0",
    "VPC": {
        "VPCId": "vpc-3fa56947",
        "VPCRegion": "us-east-1"
    }
}

03 To add the necessary private DNS record(s) to your new Private Hosted Zone, you must create first an Amazon Route 53 change file (i.e. a JSON file named private-record-set.json) to define your DNS record(s) for private IP(s). The following command example describes a private A record definition for a domain name named cloudconformity.com:

{
  "Comment": "Private A record set for cloudconformity.com hosted zone.",
  "Changes": [
    {
      "Action": "CREATE",
      "ResourceRecordSet": {
        "Name": "staging.cloudconformity.com.",
        "Type": "A",
        "TTL": 86400,
        "ResourceRecords": [
          {
            "Value": "172.31.49.138"
          }
        ]
      }
    }
  ]
}

04 Run change-resource-record-sets command (OSX/Linux/UNIX) using the hosted zone ID listed at step no. 2 and the Route 53 change file created at the previous step (i.e. private-record-set.json) as command parameters to add the new private DNS record to the selected Private Hosted Zone:

aws route53 change-resource-record-sets
	--hosted-zone-id ZXDHZIVJ9NXZ0
	--change-batch file://private-record-set.json

05 The command output should return the new A record set metadata. The record set status should be PENDING at this moment:

{
    "ChangeInfo": {
        "Status": "PENDING",
        "Comment": "Private A record set for cloudconformity.com hosted zone.",
        "SubmittedAt": "2017-06-13T17:47:59.642Z",
        "Id": "/change/C3HM8IU10R7MFE"
    }
}

06 Run get-change command (OSX/Linux/UNIX) using the AWS Route 53 change file ID returned at the previous step as input parameter to get the current status for the newly added private record set:

aws route53 get-change
	--id C3HM8IU10R7MFE

07 The command output should return the current status of the private DNS record batch request. The current status should be INSYNC, which indicates that the change was fully propagated to all AWS Route 53 DNS server nodes:

{
  "ChangeInfo": {
    "Status": "INSYNC",
    "Comment": "SPF record set for the zone.",
    "SubmittedAt": "2016-05-25T11:24:29.663Z",
    "Id": "/change/DS22QA2MN6GTI"
  }
}

08 (Optional) To create additional private DNS records repeat steps no. 3 – 7.

09 Repeat steps no. 1 – 8 to provision and configure new Route 53 Private Hosted Zones within your AWS account.

References

Publication date Jun 12, 2017