Ensure there are no AWS Route 53 Public Hosted Zones that contain DNS records for private IPs/resources within your AWS account in order to avoid leaking information about your internal (private) network and the resources hosted on it, and to optimize the Route 53 service costs. The most common use case for using private IP records in a Route 53 Public Hosted Zone is when users are implementing the split-view DNS method, where a private and a public DNS record is created to manage internal and external versions of the same website or application. Cloud Conformity strongly recommends using a Route 53 Private Hosted Zone to define your private DNS records which can be used in combination with a Public Hosted Zone to implement split-view DNS for your applications. An AWS Route 53 Private Hosted Zone will resolve any internal DNS queries (coming from within the associated VPC network) without exposing DNS data to the public Internet. From the cost optimisation perspective, since all Route 53 DNS queries are charged, using a Private Hosted Zone will also reduce the DNS service costs by using conditional forwarders within your VPC. Conditional forwarders can be implemented through a DNS server that will allow you to cache the DNS responses from Amazon name servers, thus reduce the number of queries within your internal network.
Defining private DNS records within your Route 53 Public Hosted Zones is considered bad practice and does provide useful information such as the IP addresses for specific internal resources and their internal subnet scheme to malicious users which can use this information to gain access to your resources through social engineering hacks. In contrast, AWS Route 53 Private Hosted Zones will safeguard against any malicious scanners that are trying to learn your internal IP address, scheme or network. With Private Hosted Zones you will be also reducing the Route 53 service costs by querying less the AWS name servers (DNS response caching).
To determine if your Route 53 Public Hosted Zones contain private DNS records, perform the following:
To reduce your Amazon Route 53 service costs and adhere to security best practices by using private DNS records outside of your AWS Route 53 Public Hosted Zones, you can create and configure a Private Hosted Zone to manage private IPs within your Virtual Private Cloud (VPC) as Amazon Route 53 service will only return your private DNS records when queried from within the associated VPC. Keeping your Private Hosted Zone separated from your Public Hosted Zone will also prevent the Internet from making unnecessary queries to your hosted zone private DNS records (using conditional forwarders), providing you with the opportunity to save costs. To create a Route 53 Private Hosted Zone and define the necessary private DNS records, perform the following: