Amazon AWS Certified Advanced Networking Specialty – Networking & AWS Primer Part 8

  • By
  • January 16, 2023
0 Comment

22. Configuring Bind9 for Hybrid DNS Setup

Hey everyone and welcome back. Now in the earlier video we were discussing at some of the challenges that you might face typically when you are designing a hybrid DNS architectures for your organization. We also had a small demo related to the possible solution on how you can set up a custom DNS forwarding server for the hybrid setup. So in today’s video we look into how we can set up a custom DNS row. We’ll be making use of bind to achieve the same.

So for our sample setup, because we don’t really have a direct connect or IPsec tunnel, we’ll make use of two different VPCs. All right, so you have a VPC one and your Route 53 private hosted zone will be associated with this VPC. And the second VPC you can consider this as an on premise location. And from this on premise location you want to resolve the private hosted zones which are associated with route 53. Now one thing we already discussed is that we cannot directly resolve it from on premise.

So you need to have a solution which basically makes use of some kind of a proxy endpoint in the VPC which is connected to the Route 53. So the proposed solution that we are going to design is that you have the VPC here and this VPC has a custom DNS server. It can also be a simple ad, but for our case we’ll be making use of custom DNS server. Now this VPC will have the Route 53 which is present over here. And this route 53 has certain private hosted zones.

And what we want is we want the EC to instance from VPC two. So we can consider this as on premise to be able to resolve this specific private hosted zone. So we know that this EC two instance should be able to send a request to an EC two instance which is hosting a custom DNS server. And this custom DNS server will forward a request to 53. And from route 53 the response will come to this custom DNS server from which it will be forwarded to the on premise. So that’s the simple solution.

Let’s look into how we can implement this. So I’m in my EC to console and I have two EC two instances which are present now the first EC two instance which you see this is called as Kplabs DNS server and this is basically our custom DNS server which we are yet to configure. And basically the VPC in which this EC two instance is launched, that VPC is connected to the Route 53 private hosted zone. So currently I have one private hosted zone over here.

In fact you can create it easily. Do remember that you will get charged, this does not come under free tab. So let’s say you want to create a private hosted zone call as Kplabs internal. You can go ahead and put your domain name, then you have to choose the type to private and then you have to associate it with a VPC over here. All right, so these are the only three simple steps which are required to create a private hosted zone. In my case, I already have created one private hosted zone. The name is Kplabs internal and this is associated with a VPC with ID which ends with a 117. So this is basically the default VPC over here.

And I have one more EC two instance. It can be considered that this EC two instance is on premise and basically the VPC in which this EC two instance is launched, it does not really have the route 53 private hosted zone associated. So it will not be able to query the route 53 private hosted zone to get the response over here. All right, so let’s do one thing. Let’s quickly verify. First I’ll log in to the EC two instance here and before we do that, I’ll quickly attach elastic IP to my EC two instance. All right, let’s quickly associate it. Great. So I’ll copy up this IP address here and I’ll log into the server. Do remember that this is a Ubuntu 16 LTS. So we’ll be using our DNS server setup configuration on Ubuntu 16. So in case if you want to replicate this kind of a setup, let me also show you like whenever you create a new instance you can type Ubuntu and you have a Ubuntu 16. 4 LTS.

You can go ahead and use this. All right, great. So for this custom DNS server that we are discussing, this is a Ubuntu 16 based server. All right. Now the first thing that you need to do is you will have to install some kind of a DNS server over here. Now, I already have a configuration related to the things that we are going to do. So the first thing is we’ll be making use of the bind here. So I’ll go ahead and run the app get installed, let me press Y and it will go ahead and install the bind grade. So once it is installed, you need to go to the bind directory and if you open up the named con F, you will see that there are no configurations which are available over here, but there are certain include files which are available. Now the first include file is etc bind named convey options.

Now if we quickly open this up and here you will see that there are a lot of configurations which are available over here. So this is the file that we’ll be modifying. Now, the first thing that you need to do is you will have to add an ACL over here. So let me go ahead and add this over here. ACL is basically who will be able to query for the resolution to work. So you can specify the IP address of the server or if you have on premise then you can specify the IP address of the on premise location. So in our case, if we are going to configure bind in this specific EC two instance and if the second EC two instance is going to query for the DNS associated with the Route 53 hosted zone, then you can either specify the CID or where this EC Two or where your on premise instances are.

Or you can specify a simple IP address associated with the DNS Server or EC two instance which is going to make a query for. So for my case, let me just check it out. So this is the public IP. So you can put the public IP over here. So let’s add this. All right, so this is the public IP address for our demo, easy to instance which is going to query it. Now, within the options there are a lot of comments over here. So all of these are comments. So let’s quickly remove all of them. And we’ll also remove these three configuration options over here because we have a configuration file which already has it.

So one thing you can do is you can directly copy the entire configuration. I’ll be pasting this after the video, so you can go ahead and use the same. So let me do one thing, I’ll just remove the entire line. So in case if you want to remove the entire line in nano, you can make use of control K. All right, so I have pasted the entire configuration over here.

Now, one thing that you have to make sure is to have a forwarder. Now this is something similar to what we were discussing. So this custom DNS server. So if you remember in EC Two or typically in VPC, the dot two address is basically for the Route 53. So if this custom DNS server wants to query the Amazon Route 53 private hosted zones or any hosted zones here, it needs to contact the dot to address.

So let me quickly show you. I’ll save this configuration and if you open up the result cone, you see the name server here is 172-3102. So for the 172 31 subnet, the dot two address is basically reserved for Route 53. So from here, if you want to verify, let’s do an S lookup. I’ll do Lookup on AB Kblabs internal.

Now this specific record over here is basically present within my Route 53 hosted zone. Now, since this Route 53 hosted zone, this is a private hosted zone, is associated with this VPC and basically from this VPC, from the EC Two instance, we are trying to resolve it. So you can say 172 310 two, you should be able to get the answer perfectly over here. However, if you try to do from some different address, let’s say a date, it will not really work great. So coming back to our configuration file, within the configuration file, this is basically the IP address of the resolver. In case if you have the VPC with a different subnet or a CIDR, let’s say Ten series, then you’ll have to replace the forwarder accordingly.

All right. So once you have added the configuration, basically make sure you make use of this command of Named check on F. Now basically when you press Enter, this basically tells you whether the configuration that you have written it is valid or not. So currently it is telling that it is not valid.

So let’s quickly open the named conve options and yes, we missed one. All right. So now if you quickly run this command, you see it is showing everything is perfect. So now you can quickly verify whether the bind service is active or not. So currently it is inactive. If you basically look into the active status it is showing as dead.

So you can go ahead and start the bind service. All right, now, once you start the bind service, typically you should see the name D to be listening on 53. So this is very important. So once named is listening on 53 from local, you can try to query it to see if the domains are being resolved. So let’s do one thing. I’ll go to the route 53, let’s add a new record set. I’ll call it as demo and I’ll give a random name here, say ten 510 five. I’ll go ahead and I’ll do a create.

All right, so this is our sample record. So from the CLI I’ll do Nslookup on demo Kplabs internal and this time I’ll be querying to 127001 and you see I am able to get the response back. Do remember here that the resolver address is 127001 and not 172 310 two. Basically what it does, you send the request to this resolver.

Now, we already have discussed that there is a forward or a section. So if this resolver does not have the answer, it will forward it to the 172 310 two. It will get the reply and here it will send it back to you. Great. So our right hand side solution has been completed. All right. Now the next thing is to have an easy to instance in the VPC two.

Now, I already have an EC two instance which is in the VPC two. Let me copy up the IP address of that EC two instance and I’ll log in to that EC two instance over here. All right. Now, in case if you want to verify whether it is working or not, let’s do Nslookup on Kplabs internal and you see it is not able to resolve.

Now, since this is the VPC with the subnet 170 216 series, if you look into the result Connor four here it should have 170 2160 two. All right. So now what we want is from this EC to instance if you have on premise with VPN connectivity, it basically the IP sector that is perfect. But I wanted to keep the setup simple.

So from this EC two instance we want to query the private hosted zone over here. So now we already have the DNS server which is configured. So what we’ll do is we’ll send as lookup query to this specific DNS server and see whether it is working or not. So I’ll copy the IP address of the EC two instance which has the DNS server. So now let’s do Nslookup, I’ll say demo kplab internal and I’ll paste the IP address of the DNS server which we had configured.

And now you see we are able to perfectly get a reply of the private hosted zone. So you see, it’s ten, 510, five. So I hope you understood how the architecture of designing the hybrid DNS setup might look like. Now, again, we were also discussing one of the caveats here that if this specific DNS server goes down, then the resolution will stop working. And this is the reason why many organizations, they either make use of two DNS server for the higher variability or they make use of simple ad for the DNS forwarding.

So basically, even if you use an EC two instance or even if you use the simple ad, the purpose remains the same, the architecture remains the same. The only thing is that for EC two instance you’ll have to take care of the high availability and for the simply you can basically make use of the Ha setup there.

Now one thing that you should remember is that basically if you design this DNS server, the port 53 should have the incoming allowed, otherwise the DNS request will not pass through. So this is the high level overview. I’ll again, I’ll post this specific configuration. Let me add this over here, otherwise it will fail for you as well. Anyways, I’ll post this after this video so that you can try it out. I hope this video has been informative for you and I look forward to seeing you in the next video.

23. Understanding Route53 Inbound Endpoints

Hey everyone and welcome back. In today’s video we will be discussing about the Route 53 inbound Endpoints. Now, in the architecture of hybrid DNS that we were discussing earlier, we had made use of a custom DNS server. Now, the problem with custom DNS server, as we already discussed, is that we need to maintain the High Availability.

And if you are using EC two instance, then there is a constant need of vulnerability, assessment, patching and others. And even if you use simple ad, you still have to pay for it, which becomes quite expensive sometimes. So this is again not the best of architecture, but this is definitely a working architecture.

And a lot of organizations they are either using a custom DNS server or a simple ad because that was two mostly widely used solutions. However, AWS came up with a great new feature called as Route 53 inbound End Point. Now, what we have to do is instead of EC to our simple ad, we make use of the Route 53 inbound Endpoints and the architecture exactly remains the same. Now, the great part about Route 53 inbound Endpoints is that it is quite cheap and you do not really have to manage about High Availability or things going down.

This is completely managed by AWS, although you can definitely configure it at your level. So let me quickly show you on how exactly this might look like. So, I’m in my Route 53 console over here, and if you look down here, you have something called as inbound Endpoints. So if I can quickly open this up here, you’ll see that I have one inbound Endpoint which is created. And if I click on this inbound Endpoint, you see this endpoint has two IP address associated with it.

Basically it is in two availability zone for the High Availability. So now what happens is any server which is on premise or maybe in a different location, instead of sending the request to the custom DNS server, they can send it to the Route 53 Endpoint. Now, it remains the same because Route 53 inbound Endpoint also has the IP address which can be queried. So let’s copy one of these IP address.

I’ll copy this IP and from the Ubuntu server that we had configured for our testing purpose, we’ll call the Record of Demo Kplabs Internal. And I’ll send this Nslookup query to the endpoint IP of Route 53. All right, so when I press Enter, you see I am able to get the response back. Perfect. Now, in case if you have something like peering VPC so let’s say that I have the second VPC over here.

Now I have established the VPC peering. So both these VPCs are currently peer. So let me log in to the EC two instance which belongs to the second VPC over here. And from the second VPC instance, let me do NS lookup on Demo Kplabs Internal and I’ll paste the IP address of the route 53 inbound endpoint and you see I am able to get the resolution as well.

So similar to the architecture that we were discussing. Instead of AC to instance or simple Ad, we create a simple Route 53 endpoint and if we query this Route 53 endpoint, then this acts as a forwarder and we’ll be able to get all the zones, even if it is a private hosted zones from Route 53 to be resolvable to the On premise DNS server. So this is the high level overview about the Route 53 endpoints. I hope this video has been informative and I look forward to seeing you in the next video.

24. Creating first Route53 Inbound Endpoints

Hey everyone and welcome back. Now in the early video we were discussing at a high level overview about the advantages with Route 53 inbound Endpoints gives us. So what we will do in today’s video we’ll start from scratch and we’ll look into what are the configuration steps which are involved in creating a Route 53 inbound Endpoints. So the first thing that you need to do is you have to go to the Route 53 console and below here you have the tab of Inbound Endpoint. So click there and you can click on create an Inbound Endpoint. So here you need to give the endpoint name, let me call it as KP Labs Endpoint. Then you have to give the VPC basically whatever endpoint. Let me quickly show you. So this endpoint that gets created, it has the IP address. Now depending on what VPC that you associate the endpoint with, the IP address would be configured.

So I’ll select the VPC over here and the next thing that you need to do is you have to configure the security group. In my case, I’ll configure the default security group which is available and then you have the option of two IP address. So basically, these are for high availability. So the end point that you create this endpoint will have two IP address in a different subnet and in a different Availability Zone for High Availability. So let’s create it in availability zone one. A I’ll select one subnet there and let me select a different subnet for IP address two and a different AZ as well. Now do remember that within the IP address there are two options. You can use an IP address that is selected automatically or you can use an IP address that you specify. For simplicity, I’ll use an IP address which is selected automatically here and then you can go ahead and click on Submit. All right, so now what basically it is doing is that it will go ahead and create a new Route 53 endpoint and there will be two IP address which would be associated with that end point. Now, once the end point is configured, then instead of sending the query to the IP address of the DNS server that you might have configured in a custom way, you can send the request to the IP address of the DNS inbound Endpoint. Great.

So here it says that it has created now if I quickly open it up here it says that these are the two IP address which the endpoint has. Now if you quickly click on the IP address here, it will basically take you the Network Interface Console. Now within the console do make sure that whatever security group, so whatever security group which is associated with the inbound endpoint, it should have port 53 open so that on Premise Server or any other servers who are querying to this inbound endpoint should be able to connect. So in my case, if I quickly open the security group over here within the Route 53. I already have one UDP port 53 allowed for the period VPC. This basically we had used for the demo. Now by default it the default VPC already has the source of 172 310 00:16. So any EC two instance within the same VPC where the Route 53 inbound Endpoint was created will be able to connect to it. So in order to verify that, I have logged into an EC two instance in the same VPC where our Inbound Endpoint is created just for a demo. So let me do as lookup, let’s say this time I’ll do AB KP Labs Internal and I’ll specify the IP address of the Inbound Endpoint and you see it is able to resolve things perfectly. Now querying from the EC to instance in the same VPC is just for demo.

However, even if you have a Peered VPC, or even if you are sending the request via Direct Connect or via IPsec tunnel from your on premise, you need to make sure that you send a request to the Inbound Endpoint IP address. And once you do that, the Inbound Endpoint IP will be able to query and send you the response back. Now, one great thing as we discuss is that we don’t really have to worry about managing Simple Ad or managing Custom DNS Server in Route 53 inbound Endpoint. Just takes a minute to configure and that’s about it. All right? So this is a new solution and a pretty good one. And most of the organizations will slowly move towards Route 53 inbound Endpoints from their legacy architectures. So that’s about it for this video. I hope this video has been informative of you and I look forward to seeing you in the next video.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img