Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Root Domain Alias Records that Point to Load Balancers

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the root domain Alias record routes traffic to an associated Classic, Application, or Network Load Balancer. An Alias record provides a Route 53–specific extension to DNS functionality. Instead of an IP address or a domain name, an Alias record must contain a pointer to your load balancer. Before running this rule by the Trend Micro Cloud One™ – Conformity engine, your root domain name must be configured in the rule settings, on your Conformity account console.

Security

Your Amazon Route 53 hosted zone can hold a special record type called Alias that allows you to create an A record for the root domain and point it to the fully qualified domain (FQDN) of the load balancer associated with your application. In the same way records for all other layers should be created in order to allow flexibility in the application design and avoid hardcoding the FQDN of a resource.

Note: Make sure that you replace all <root_domain_name> placeholders outlined in the conformity rule content with your own root domain name.


Audit

To determine if your Amazon Route 53 hosted zones contain Alias records that point to your load balancers, perform the following actions:

Using AWS Console

01 Sign in to your Trend Micro Cloud One™ – Conformity account, accessCheck for Root Domain Alias Records that Point to Load Balancers conformity rule settings, and copy the root domain name configured for your application (e.g. <root_domain_name>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

04 In the main navigation panel, under Dashboard, choose Hosted zones.

05 Click inside the Filter hosted zones by property or value box, select Domain name, paste the name of your root domain copied at step no. 1, and press Enter. If the filtering process is not returning any results, there is no Amazon Route 53 hosted zone created for your domain name, therefore the Audit process ends here. If the Amazon Route 53 console returns a public hosted zone for your domain name, continue the Audit process with the nest step.

06 Click on the domain name of the hosted zone returned by the Route 53 console.

07 In the Records section, perform the following operations:

  1. Select A from the Type dropdown menu to list all the A DNS records created for the selected hosted zone.
  2. Select Alias from the Alias dropdown menu to filter the existing results (i.e. A records) and list only the Alias records created for the selected hosted zone. If this filtering method is not returning any Alias records, there are no Alias records created for the root domain name of your application, therefore the Audit process ends here.
  3. Check the Alias record value available in the Value/Route traffic to column. If this value is not a fully qualified domain (FQDN) of an AWS Elastic Load Balancer, i.e. the value does not contain elb.amazonaws.com., the Alias record created for the selected root domain name is not routing traffic to a Classic, Application, or Network Load Balancer.

08 If required, repeat steps no. 6 and 7 for other hosted zones created within your AWS cloud account.

Using AWS CLI

01 Sign in to your Trend Micro Cloud One™ – Conformity account, accessCheck for Root Domain Alias Records that Point to Load Balancers conformity rule settings, and copy the root domain name configured for your application (e.g. <root_domain_name>).

02 Run list-hosted-zones command (OSX/Linux/UNIX) using the name of the domain copied at the previous step as the identifier parameter and custom query filters to get the ID of the Amazon Route 53 hosted zone created for the specified domain. Replace with your own root domain name:

aws route53 list-hosted-zones
  --query "HostedZones[?Name == '<root_domain_name>.'].Id"

03 The command request should return one of the following outputs:

  1. If the list-hosted-zones command output returns an empty array (i.e. []), as shown in the example below, there is no Amazon Route 53 hosted zone created for your root domain name, therefore the Audit process ends here:
    []
    
  2. If the command output returns the ID of the hosted zone associated with your root domain name, as shown in the output example below, continue the Audit with the next step:
    [
    	"/hostedzone/ABCD1234ABCD1234ABCD"
    ]
    

04 Run list-resource-record-sets command (OSX/Linux/UNIX) using the ID of the Amazon Route 53 hosted zone returned at the previous step as the identifier parameter, to describe each Alias record created for the specified hosted zone:

aws route53 list-resource-record-sets
  --hosted-zone-id "/hostedzone/ABCD1234ABCD1234ABCD"
  --query 'ResourceRecordSets[?AliasTarget != null]'

05 The command output should return one of the following outputs:

  1. If the list-resource-record-sets command output returns an empty array (i.e. []), as shown in the example below, there are no DNS Alias records created for the root domain name associated with your application, therefore the Audit process ends here:
    []
    
  2. If the command output returns one or more Alias record sets, check the "DNSName" property value (highlighted). If the "DNSName" value is not a fully qualified domain (FQDN) of an AWS Elastic Load Balancer, i.e. the value does not contain elb.amazonaws.com., the Alias record created for the selected root domain name is not routing traffic to a Classic, Application, or Network Load Balancer:
    [
    	{
    		"Name": "app.trendmicro.com.",
    		"Type": "A",
    		"AliasTarget": {
    			"HostedZoneId": "ABCD1234ABCD1234ABCD",
    			"DNSName": "console.trendmicro.com.",
    			"EvaluateTargetHealth": false
    		}
    	}
    ]
    

06 If required, repeat steps no. 4 and 5 for other hosted zones available in your AWS cloud account.

Remediation / Resolution

To configure Amazon Route 53 to route traffic to your AWS Elastic Load Balancer (Classic, Application, or Network Load Balancer), perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"ApplicationLoadBalancer": {
			"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
			"Properties": {
				"Name": "cc-app-load-balancer",
				"Type": "application",
				"Scheme": "internet-facing",
				"IpAddressType": "ipv4",
				"Subnets": [
					"subnet-01234abcd1234abcd",
					"subnet-0abcd1234abcd1234"
				],
				"SecurityGroups": [
					"sg-0abcd1234abcd1234",
					"sg-01234abcd1234abcd"
				]
			}
		},
		"Route53HostedZone": {
			"Type": "AWS: : Route53: : HostedZone",
			"Properties": {
				"HostedZoneConfig": {
					"Comment": "Route53 public hosted zone for domain.com"
				},
				"Name": "domain.com",
				"HostedZoneTags": [
					{
						"Key": "Owner",
						"Value": "IT"
					}
				]
			}
		},
		"Route53Record": {
			"Type": "AWS::Route53::RecordSet",
			"Properties": {
				"HostedZoneName": {
					"Ref": "Route53HostedZone"
				},
				"Name": "www.domain.com",
				"Type": "A",
				"TTL": "3600",
				"AliasTarget": {
					"DNSName": {
						"Fn::GetAtt": [
							"ApplicationLoadBalancer",
							"DNSName"
						]
					},
					"EvaluateTargetHealth": false,
					"HostedZoneId": {
						"Fn::GetAtt": [
							"ApplicationLoadBalancer",
							"CanonicalHostedZoneNameID"
						]
					}
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	ApplicationLoadBalancer:
		Type: AWS::ElasticLoadBalancingV2::LoadBalancer
		Properties:
		Name: cc-app-load-balancer
		Type: application
		Scheme: internet-facing
		IpAddressType: ipv4
		Subnets:
			- subnet-01234abcd1234abcd
			- subnet-0abcd1234abcd1234
		SecurityGroups:
			- sg-0abcd1234abcd1234
			- sg-01234abcd1234abcd
	Route53HostedZone:
		Type: 'AWS: : Route53: : HostedZone'
		Properties:
		HostedZoneConfig:
			Comment: Route53 public hosted zone for domain.com
		Name: domain.com
		HostedZoneTags:
			- Key: Owner
			Value: IT
	Route53Record:
		Type: AWS::Route53::RecordSet
		Properties:
		HostedZoneName: !Ref 'Route53HostedZone'
		Name: www.domain.com
		Type: A
		TTL: '3600'
		AliasTarget:
			DNSName: !GetAtt 'ApplicationLoadBalancer.DNSName'
			EvaluateTargetHealth: false
			HostedZoneId: !GetAtt 'ApplicationLoadBalancer.CanonicalHostedZoneNameID'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_lb" "application-load-balancer" {
	name                       = "cc-app-load-balancer"
	load_balancer_type         = "application"
	internal                   = false
	ip_address_type            = "ipv4"
	subnets                    = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
	security_groups            = ["sg-0abcd1234abcd1234","sg-01234abcd1234abcd"]
}

resource "aws_route53_zone" "route53-hosted-zone" {
	name    = "domain.com"
	comment = "Route53 public hosted zone for domain.com"
	tags    = {
		Owner = "IT"
	}
}

resource "aws_route53_record" "route53-record" {
	zone_id = aws_route53_zone.route53-hosted-zone.zone_id
	name    = "www.domain.com"
	type    = "A"
	ttl     = "3600"
	alias {
		name                   = aws_elb.application-load-balancer.dns_name
		zone_id                = aws_elb.application-load-balancer.zone_id
		evaluate_target_health = false
	}
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the main navigation panel, under Dashboard, click Hosted zones.

04 Click on the domain name of the hosted zone that you want to reconfigure.

05 In the Records section, choose Create record to initiate the Alias DNS record setup process, then perform the following operations:

  1. For Record name, provide the root domain name (i.e. the domain name configured in the conformity rule settings).
  2. For Record type, select A – Routes traffic to an IPv4 address and some AWS resources.
  3. Toggle the Alias button to specify that you want the new record to be an Alias for an AWS resource.
  4. For Route traffic to, choose the type of the AWS resource that you want to route the traffic to.
    • Select Alias to Application and Classic Load Balancer to route traffic to an Application Load Balancer (ALB) or Classic Load Balancer (CLB), or choose Alias to Network Load Balancer to route traffic to a Network Load Balancer (NLB).
    • For Choose Region, select the AWS region where the target load balancer was provisioned.
    • For Choose load balancer, select the fully qualified domain (FQDN) of the load balancer that you want to route traffic to.
  5. For Routing policy, choose the routing method appropriate for the new Alias record, based on your application requirements.
  6. For Evaluate target health, choose whether or not to evaluate the health of your new Alias record set.
  7. Choose Create records to add the new Alias record set to your Amazon Route 53 hosted zone.

06 If required, repeat steps no. 4 and 5 for other hosted zones created within your AWS cloud account.

Using AWS CLI

01 To create the required Alias record and add it to your DNS hosted zone, you must create first an Amazon Route 53 change file, declare the new Alias DNS record, and save the record definition to a JSON file named elb-alias-record.json. Replace <root-domain-name>, <hosted-zone-id>, and <target-resource-dns-name> with your own details. The <target-resource-dns-name> should be replaced with the fully qualified domain (FQDN) of the load balancer that you want to route traffic to (e.g. dualstack.web-load-balancer-123456789012.us-east-1.elb.amazonaws.com.):

{
	"Comment": "Alias DNS record for <root-domain-name>.",
	"Changes": [
	{
		"Action": "CREATE",
		"ResourceRecordSet": {
			"Name": "<root-domain-name>.",
			"Type": "A",
			"AliasTarget": {
				"HostedZoneId": "<hosted-zone-id>",
				"EvaluateTargetHealth": false,
				"DNSName": "<target-resource-dns-name>."
			}
		}
	}
	]
}

02 Run change-resource-record-sets command (OSX/Linux/UNIX) using the ID of hosted zone that you want to reconfigure as the identifier parameter and the Amazon Route 53 change file defined at the previous step (i.e. elb-alias-record.json) as command parameter, to add the Alias DNS record set, configured at the previous step, to the selected hosted zone:

aws route53 change-resource-record-sets
  --hosted-zone-id "/hostedzone/ABCD1234ABCD1234ABCD"
  --change-batch file://elb-alias-record.json

03 The command output should return the metadata for the new DNS record set (including the ID of the change file used – highlighted):

{
	"ChangeInfo": {
		"Status": "PENDING",
		"Comment": "Alias DNS record for <root-domain-name>",
		"SubmittedAt": "2020-08-11T15:00:00.000Z",
		"Id": "/change/ABCDABCDABCDABCDABCD"
	}
}

04 Run get-change command (OSX/Linux/UNIX) using the ID of the Route 53 change file returned at the previous step as the identifier parameter, to describe the status of the newly created record set:

aws route53 get-change
  --id "/change/ABCDABCDABCDABCDABCD"

05 The command output should return the current status of the DNS record batch request. The current status should be INSYNC, which indicates that the change was fully propagated to all Amazon Route 53 DNS server nodes:

{
	"ChangeInfo": {
		"Status": "INSYNC",
		"Comment": "Alias DNS record for <root-domain-name>",
		"SubmittedAt": "2021-08-12T15:00:00.000Z",
		"Id": "/change/ABCDABCDABCDABCDABCD"
	}
}

06 If required, repeat steps no. 1 – 5 for other hosted zones available in your AWS cloud account.

References

Publication date Apr 18, 2018

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Check for Root Domain Alias Records that Point to Load Balancers

Risk Level: Medium