Ok nerdy topic, but we’ve been gradually going to a Tri-mode system where I use Bluehost for casual stuff, DigitalOcean for stuff I care about like tongfamily.com and AWS for the big boy pants work.
Part of that transition is moving from Bluehost DNS services to AWS services. This is called Route53 and is quite a bit more complicated than the already obscure Bluehost services. But to review
A Dummy’s Guide to DNS
Ok, here’s the short scoop, when you go to Namecheap.com and buy a cool new domain name, that’s not even close to the end of the story. There is also a Domain Name Server which tells anything on the Internet how to translate tongfamily.com
into a Internet Protocol (IP) address. This is a small database that says exactly like that. This database by the way is called a zone
in the world of DNS.
The terminology is of course really complicated. There are a bunch of different record types. The most basic is an A record, this does exactly what you expect, it takes a host record and turns it into an IP address. Now what’s a host record, this is simply the stuff before the dot, so the host record for www
tells the internet where www.tongfamily.com
lives. There are also AAAA records which do the same for IP v6 address, these are much longer numbers that the Internet will move to eventually because there are so many devices plugged into the thing.
One of the magic host record names is @
which simply means where does something without a subdomain go, it is what makes tongfamily.com
without any www
work right.
The final field is something called TTL or time to live, this means that if a browser for instance does a name look up for www.tongfamily.com
then how long should it cache it before doing another call. This is in seconds, so you see strange values like 14400
which if you do the vision is four hours. The longer the TTL the more efficient but then if you make a change, you have to wait at least that long for changes to propagate through the Internet.
The second idea is something called a CNAME or Canonical Name. A normal human would call this an alias. So, this looks basically like host record and then the content is another domain name, so for instance, you might have smtp
points to mail.tongfamily.com
which means that all requests to smtp.tongfamily.com
get sent to mail.tongfamily.com
. Of course this can lead to all kinds of horrible behavior and even loops, so try to keep the looks up a few levels, like one or two because eventually you need to point to a real A or AAAA record.
There there are MX or Mail Exchange records, this tells the Internet where to send mail traffic, you normally have a whole slew of these for reliability reasons and they come with a priority, with the lower number first. So for instance to connect to Google GSuite, the host record is always everything or @
and then names look like aspmx.l.google.com
Finally, there are TXT records, these are hints to various services on the Internet. Some important ones are the SPF1 which handles antispam, so the host record is normally @
for everything and for instance to only allow email to be sent from certain places, you would have v=spf include:_spf.google.com
How do this translate into AWS world
Well, they have a much more complicated system since their DNS is meant to work for really big sites, so here’s a quick decoder ring.
First of all, the terminology in Route 53 is quite different, to get there, login to the AWS console and go to the Route53 at https://console.aws.amazon.com/route53/home
Now you will see the main console (at least in July 2019) a dashboard that starts with DNS Management
and you want to create what they called hosted zones
When you Create a Hosted Zone, the domain name is what you think and then you you get a choice. You can create a DNS just for internal use in your AWS cluster, but most folks will want Public Hosted Zone
.
Now you get to the second difference in how this stuff works. In Bluehost or simple Domain Managers, you will never see the NS or Name Server records to the SOA records either, but since AWS is enterprise oriented, you can change these. Don’t change these.
Instead, you need to create new what they call Record Set
the reason it is called a Record Set and not just create a Record is that in AWS land, you can glom together records like TXT and MX into a single entry which is kind of convenient, but confusing.
So now click on Create Record Set
, and you get to the second difference, which is that which is that there is no wild card concept @
instead, you just leave the Name
field blank. The name field is the same as the Host Record in Bluehost for instance, then you can state with an A record and the Value is the same. It’s a separate topic I’ll cover later, but that should be the location of your website that you made with WordPress or whatever.
Now you can create some convenient names for instance, if you want www
to point to the main, then you can create CNAME to do that.
Now there is where the strangeness begins, if you click to create MX, then you actually create all the MX records at once. In the Value field, you type in some text that is space delimited so it looks like
1 aspmx.l.google.com 5 alt1.aspmx.l.google.com 5 alt2.aspmx.l.google.com
The same is true of the TXT records, instead of creating many of them, you just create one TXT Record Set that has everything. Note that with most domain manager, they automatically handle the 255 character limitation with TXT records, but with AWS, you have to manually cut the records yourself. This comes up with DKIM where you have to put in the actual public key so you have to break it up, so the TXT record set will look something like a bunch of quote strings, the first set here is for spoof protection and the second for mail protection as well
"v=spf1 include:_spf.google.com ~all" "v=DKIM1; k=rsa; p=MIIBIjANBthisstringisgoingislessthan255" "HkzzCRGfZoc9IULPcMtheremainingpartofthekey"
Now for the final weirdness, to set up your registrar to point to AWS, you are going to need the names of all the servers in your NS record, so copy them out, but AWS does the proper thing and every DNS address ends with period, so it looks like www.tongfamily.com.
notice the ending dot. Properly, this is because com actually belongs to an invisible domain. But, most ordinary registrars barf on this, so delete the ending period before putting them into the name server entries.