VPCs should utilise a private hosted zone for each VPC to allow for contextual DNS for ease of use and standardized addressing across environments.
Route 53 private hosted zones are a resource which provides private DNS services within a VPC. This service is exceptionally useful because it allows a VPC to resolve local network traffic using domain names instead of private IP addresses. A VPC already comes configured with a DNS service that AWS uses to provide contextual responses for endpoints such as VPC Gateways and RDS Endpoints. By configuring a private hosted zone, you can utilise the same service to create standardised records for your own services.
To set up a private hosted zone, simply create a Route 53 hosted zone that is configured to attach to your VPC. It’s important to pay attention to the naming conventions for domains. Since this will be a private DNS service, you should only use a domain name intended for internal use that doesn’t carry historical issues, such as the .private TLD. However, the best approach is to utilise a subdomain of a domain owned by your organisation which will be reserved for private use, such as private.yourdomain.com. This avoids inconsistency issues with some of the private TLDs such as .local which have a number of disparate hard-coded behaviours across various software applications as well as provides a simpler distribution and management of TLS certificates that can be used to provide TLS Everywhere infrastructure.
Identify networks missing private DNS and visualize a TLS-everywhere environment for your organization by purchasing a SkySiege Cloud Assessment with included consultation today:
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
