Tutorial / Cram Notes
Hosted zones in DNS terminology are a concept in Amazon Web Services (AWS) that allow you to manage domain names and their DNS records. In AWS, there are two types of hosted zones: Private Hosted Zones and Public Hosted Zones, both of which are part of Amazon Route 53 service. Understanding when to use each is essential for an AWS Certified Advanced Networking – Specialty (ANS-C01) exam candidate.
Private Hosted Zones
A Private Hosted Zone is a DNS service for your Virtual Private Cloud (VPC). The main feature of a private hosted zone is its accessibility: it is only accessible within the VPC or VPCs you specify. This restricts the DNS queries to the confined resources within AWS and ensures that public internet cannot query private DNS records.
Use Cases for Private Hosted Zones:
- Internal Services: For services that should only be resolved and accessed internally. For example, an internal database server
db.internal.company.comshould only be accessible within your corporate network. - Service Discovery: Microservices within a VPC that need to communicate with each other often use private DNS names to discover and interact with other services.
- Split-Horizon DNS Views: Environments where the same DNS name needs to resolve to different IP addresses based on whether the query is made from within a VPC or over the internet. For instance,
api.company.comcould resolve to an internal IP address for queries from inside the VPC and a public IP address for queries from the internet. - Security: When deploying sensitive applications that should remain unexposed to the public internet, a private hosted zone ensures that DNS queries are not accidentally leaked outside.
- Migration and Testing: When migrating from on-premises data centers to the cloud, or when creating test environments that mimic production but should not be publicly accessible.
Public Hosted Zones
A Public Hosted Zone, on the other hand, is a DNS service for the domains intended to be accessible from the internet. This is the default choice when you want to ensure that your users can access your resources using a domain name over the public internet.
Use Cases for Public Hosted Zones:
- Websites and Web Applications: For any internet-facing website like
www.yourcompany.comthat you want users to access globally. - API endpoints: Public APIs that need to be accessed by external clients or services over the internet should have DNS records in a public hosted zone.
- Email Services: To set up MX records for sending and receiving email through your domain.
- Global Services: When deploying services that must be accessible around the world without restrictions.
- Content Delivery: Integrating with services like Amazon CloudFront to deliver content to end-users with lower latency.
Comparison
| Feature | Private Hosted Zone | Public Hosted Zone |
|---|---|---|
| Accessibility | VPC only | Anyone on the internet |
| Query Resolution | Internal IPs | Public IPs |
| Typical Use | Internal services | Public-facing services |
| Split-Horizon DNS Views | Supported | Not applicable |
| Integration with AWS Resources | VPC instances, RDS, etc. | Any internet-facing AWS resource |
| Security | High – No public access | Normal – Publicly accessible |
Configuration Examples
While specific configuration code is not necessary for understanding when to use private or public hosted zones, let’s walk through a couple of high-level examples:
– Configuring a Private Hosted Zone:
- Access the Route 53 console in AWS.
- Create a new hosted zone.
- Specify the domain name.
- Set the type to “Private Hosted Zone for Amazon VPC.”
- Select the VPC in which the DNS records should be available.
– Configuring a Public Hosted Zone:
- Access the Route 53 console.
- Create a new hosted zone.
- Specify the domain you’ve registered.
- Set the type to “Public Hosted Zone.”
After configured, you would typically create appropriate DNS records (A, CNAME, MX, etc.) within each zone to map domain names to IP addresses or resources.
Overall, knowing whether to deploy a private or a public hosted zone depends largely on the accessibility requirements and the intended audience for your domain’s services. For the AWS Certified Advanced Networking – Specialty exam, understanding the concepts and use cases for both hosted zones is critical and will aid in designing and implementing secure, scalable, and highly available networking solutions in AWS.
Practice Test with Explanation
Private hosted zones in AWS Route 53 are recommended when you want domain names to be resolved publicly over the internet.
- True
- False
False
Private hosted zones are used for DNS resolution within one or more Amazon VPCs. They’re not accessible over the public internet.
Which type of hosted zone would you use if you needed to resolve domain names that are only accessible within your corporate network?
- Public hosted zone
- Private hosted zone
- Both
- Neither
Private hosted zone
Private hosted zones are used to provide DNS resolution for internal network resources that should not be accessible over the public internet.
Public hosted zones in AWS Route 53 can be used to route traffic for Internet domains like example.com.
- True
- False
True
Public hosted zones are used to define how traffic is routed for a domain on the internet like example.com.
AWS advises the use of public hosted zones for services that should be accessible by applications running inside a VPC but not from the public internet.
- True
- False
False
AWS advises the use of private hosted zones for services that need to be accessed internally within a VPC.
When using AWS Route 53, which DNS record allows you to point your domain to a resource outside of AWS?
- A record
- CNAME record
- Alias record
- MX record
- Both A and CNAME record
Both A and CNAME record
An A record can be used to route traffic to an IP address, while a CNAME record can be used to map your domain to an external domain name. Alias records are specific to AWS resources.
Split-view (split-horizon) DNS is possible in AWS when you want to present different DNS information based on the source of the DNS query.
- True
- False
True
Split-view DNS can be accomplished by using private hosted zones for queries within your VPC and public hosted zones for queries from the internet.
It’s possible to associate multiple VPCs with a single private hosted zone.
- True
- False
True
AWS Route 53 allows multiple VPCs to be associated with a single private hosted zone, which is useful for sharing services across VPCs.
AWS Certificate Manager (ACM) can only be used with public hosted zones for SSL/TLS certificate validation and association.
- True
- False
False
AWS Certificate Manager can be used with both public and private hosted zones, although domain validation options might differ.
If you have resources in an on-premises data center that you want to make accessible via a domain name within your VPC, you should use:
- Public hosted zone
- Private hosted zone
- Either public or private hosted zone, depending on whether you want it accessible from the internet
- Neither, as on-premises resources cannot integrate with AWS DNS
Private hosted zone
A private hosted zone allows you to route traffic within your VPC to an on-premises data center, keeping the traffic internal.
Route 53 Resolver Endpoints are necessary for DNS queries from your VPC to reach a public hosted zone.
- True
- False
False
Route 53 Resolver Endpoints are used for forwarding DNS queries from your VPC to your on-premises DNS servers, not to Route 53 public hosted zones.
When using an alias record in a private hosted zone to point to an AWS service such as an ELB, you will be charged for each query.
- True
- False
False
Alias records within AWS Route 53, when pointing to supported AWS services, do not incur additional charges for queries.
Which feature would allow you to map your custom domain to an Amazon S3 bucket for static website hosting?
- Public hosted zone with CNAME record
- Public hosted zone with an alias record
- Private hosted zone with CNAME record
- Private hosted zone with an alias record
Public hosted zone with an alias record
To host a static website with a custom domain on Amazon S3, you need a public hosted zone with an alias record that points the domain to the appropriate S3 bucket endpoint.
Interview Questions
Can you explain the main difference between private hosted zones and public hosted zones in Amazon Route 53?
The main difference between private hosted zones and public hosted zones in Amazon Route 53 is scope and access. A public hosted zone is accessible over the internet by the general public, whereas a private hosted zone is restricted and only accessible within one or more specified Amazon Virtual Private Clouds (VPCs). Public hosted zones typically host DNS records for domain names intended to be publicly resolvable. In contrast, private hosted zones contain records relevant to resources within a VPC that do not need to be accessed from the open internet.
When would an organization opt to use a private hosted zone over a public hosted zone?
An organization would opt to use a private hosted zone when it needs to resolve domain names that are not intended to be public, often within an internal network, such as a company’s intranet, or resources within their AWS VPC that should not be accessible from the internet, like internal APIs, databases, or application servers.
How can DNS query resolution differ between private and public hosted zones, considering a scenario where both are configured for a domain in AWS?
If both private and public hosted zones are configured for the same domain, DNS queries from resources within the VPC will resolve to the records in the private hosted zone. In contrast, DNS queries from the public internet will resolve to the records in the public hosted zone. This allows for a split-view DNS setup where internal and external resolutions can be handled differently.
Is it possible to associate a private hosted zone with more than one VPC? If so, in what scenarios is this useful?
Yes, it is possible to associate a private hosted zone with more than one VPC. This feature allows you to centralize and share DNS for private domains across multiple VPCs, which is useful when you have resources that span multiple VPCs and need consistent internal name resolution, such as in multi-account strategies or with VPC peering arrangements.
In what situation would you migrate from using a public hosted zone to a private hosted zone?
You might migrate from using a public hosted zone to a private hosted zone when a service or application that was once publicly available is moved to an internal network and should no longer be accessible from the internet. Or, during the development stage, where public access is not yet appropriate.
When setting up a hybrid cloud architecture, how would you decide whether to use a private or public hosted zone for your services?
For a hybrid cloud architecture, a private hosted zone is used when the services need to be accessible within an AWS VPC and possibly on-premises environments connected via AWS Direct Connect or a VPN, and not accessible to the public internet. A public hosted zone would be used for services that need to be accessible from anywhere on the internet. The decision often depends on the intended audience and access needs.
Can you have overlapping namespaces between private and public hosted zones in AWS Route 53? What might be the implications?
Yes, you can have overlapping namespaces between private and public hosted zones in AWS Route 53, which essentially creates a split-horizon DNS scenario where the DNS response depends on the location of the requestor. However, this can lead to complications and requires careful DNS management to ensure it does not lead to resolution conflicts or access control issues.
If a company uses a private hosted zone, how could they ensure on-premises resources resolve to the correct internal IP addresses within the AWS environment?
To ensure on-premises resources resolve to the correct internal IP addresses within the AWS environment, the company can use a DNS forwarding mechanism from their on-premises DNS server to the AWS DNS servers associated with their VPC. This setup allows on-premises systems to resolve names in the private hosted zone.
What are some of the security benefits for an organization hosting their internal DNS records in a private hosted zone?
Hosting internal DNS records in a private hosted zone can improve security by ensuring that internal structure and resources are not revealed to the public internet, reducing the exposure to potential DNS-based attacks, and by providing an additional layer of access control to DNS information which is critical for secure operations.
Can you configure a private hosted zone to be accessible over the internet if required for certain use cases?
A private hosted zone itself is not accessible over the internet; it’s designed to be private and accessible only from within designated VPCs. If internet accessibility is required, services should be registered in a public hosted zone. However, for specific cases, such as a temporary need for external access, you can create a VPN connection or use AWS Direct Connect to simulate internal access, although this might not be practical for widespread public usage.
Describe a situation in which you would use both a private and a public hosted zone for the same domain name in AWS.
You would use both a private and a public hosted zone for the same domain name when you need to provide a split-view DNS. For example, suppose you have internal resources that should resolve to private IP addresses for users within your VPCs (using a private hosted zone) and a public website that should resolve to a public IP address for users on the internet (using a public hosted zone). This allows for internal and external DNS queries for the same domain name to be handled differently, based on the query’s source.
How does Route 53 handle health checks and DNS failover with private hosted zones compared to public hosted zones?
Health checks and DNS failover are features more typically used with public hosted zones rather than private hosted zones because they are designed to redirect traffic in case of endpoint failures, which is generally a concern for publicly accessible services. Private hosted zones typically address internal resources that may not require the same level of health monitoring and traffic management designed for internet-facing services. However, Route 53 does support health checks for private hosted zones if needed, but traffic redirection would typically be within the private network infrastructure.
Great post! Can someone explain when to use private hosted zones versus public hosted zones?
I appreciate the detailed explanation in the tutorial. It clarified so many doubts for me.
Private hosted zones are perfect for hybrid environments, too. Anyone has experience using them for this?
I prefer using public hosted zones for my web applications. They make DNS management so much easier.
Just a quick note: Always remember to set proper security measures on private hosted zones.
Why not use public hosted zones for everything?
Thanks for this tutorial. It’s quite helpful for prepping for the ANS-C01 exam.
Just a minor note: The security section could have included more on DNSSEC.