Ok nerdy topic, but we’ve been gradually going to a Tri-mode system where I use Bluehost for casual stuff, DigitalOcean for stuff I care about like tongfamily.com and AWS for the big boy pants work.
Part of that transition is moving from Bluehost DNS services to AWS services. This is called Route53 and is quite a bit more complicated than the already obscure Bluehost services. But to review
A Dummy’s Guide to DNS
Ok, here’s the short scoop, when you go to Namecheap.com and buy a cool new domain name, that’s not even close to the end of the story. There is also a Domain Name Server which tells anything on the Internet how to translate
tongfamily.com into a Internet Protocol (IP) address. This is a small database that says exactly like that. This database by the way is called a
zone in the world of DNS.
The terminology is of course really complicated. There are a bunch of different record types. The most basic is an A record, this does exactly what you expect, it takes a host record and turns it into an IP address. Now what’s a host record, this is simply the stuff before the dot, so the host record for
www tells the internet where
www.tongfamily.comlives. There are also AAAA records which do the same for IP v6 address, these are much longer numbers that the Internet will move to eventually because there are so many devices plugged into the thing.
One of the magic host record names is
@ which simply means where does something without a subdomain go, it is what makes
tongfamily.com without any
www work right.
The final field is something called TTL or time to live, this means that if a browser for instance does a name look up for
www.tongfamily.com then how long should it cache it before doing another call. This is in seconds, so you see strange values like
14400 which if you do the vision is four hours. The longer the TTL the more efficient but then if you make a change, you have to wait at least that long for changes to propagate through the Internet.
The second idea is something called a CNAME or Canonical Name. A normal human would call this an alias. So, this looks basically like host record and then the content is another domain name, so for instance, you might have
smtp points to
mail.tongfamily.com which means that all requests to
smtp.tongfamily.com get sent to
mail.tongfamily.com. Of course this can lead to all kinds of horrible behavior and even loops, so try to keep the looks up a few levels, like one or two because eventually you need to point to a real A or AAAA record.
There there are MX or Mail Exchange records, this tells the Internet where to send mail traffic, you normally have a whole slew of these for reliability reasons and they come with a priority, with the lower number first. So for instance to connect to Google GSuite, the host record is always everything or
@ and then names look like
Finally, there are TXT records, these are hints to various services on the Internet. Some important ones are the SPF1 which handles antispam, so the host record is normally
@ for everything and for instance to only allow email to be sent from certain places, you would have
How do this translate into AWS world
Well, they have a much more complicated system since their DNS is meant to work for really big sites, so here’s a quick decoder ring.
First of all, the terminology in Route 53 is quite different, to get there, login to the AWS console and go to the Route53 at https://console.aws.amazon.com/route53/home
Now you will see the main console (at least in July 2019) a dashboard that starts with
DNS Management and you want to create what they called
When you Create a Hosted Zone, the domain name is what you think and then you you get a choice. You can create a DNS just for internal use in your AWS cluster, but most folks will want
Public Hosted Zone.
Now you get to the second difference in how this stuff works. In Bluehost or simple Domain Managers, you will never see the NS or Name Server records to the SOA records either, but since AWS is enterprise oriented, you can change these. Don’t change these.
Instead, you need to create new what they call
Record Set the reason it is called a Record Set and not just create a Record is that in AWS land, you can glom together records like TXT and MX into a single entry which is kind of convenient, but confusing.
So now click on
Create Record Set, and you get to the second difference, which is that which is that there is no wild card concept
@ instead, you just leave the
Name field blank. The name field is the same as the Host Record in Bluehost for instance, then you can state with an A record and the Value is the same. It’s a separate topic I’ll cover later, but that should be the location of your website that you made with WordPress or whatever.
Now you can create some convenient names for instance, if you want
www to point to the main, then you can create CNAME to do that.
Now there is where the strangeness begins, if you click to create MX, then you actually create all the MX records at once. In the Value field, you type in some text that is space delimited so it looks like
1 aspmx.l.google.com 5 alt1.aspmx.l.google.com 5 alt2.aspmx.l.google.com
The same is true of the TXT records, instead of creating many of them, you just create one TXT Record Set that has everything. Note that with most domain manager, they automatically handle the 255 character limitation with TXT records, but with AWS, you have to manually cut the records yourself. This comes up with DKIM where you have to put in the actual public key so you have to break it up, so the TXT record set will look something like a bunch of quote strings, the first set here is for spoof protection and the second for mail protection as well
"v=spf1 include:_spf.google.com ~all" "v=DKIM1; k=rsa; p=MIIBIjANBthisstringisgoingislessthan255" "HkzzCRGfZoc9IULPcMtheremainingpartofthekey"
Now for the final weirdness, to set up your registrar to point to AWS, you are going to need the names of all the servers in your NS record, so copy them out, but AWS does the proper thing and every DNS address ends with period, so it looks like
www.tongfamily.com. notice the ending dot. Properly, this is because com actually belongs to an invisible domain. But, most ordinary registrars barf on this, so delete the ending period before putting them into the name server entries.