AWS re:Invent 2016: DNS Demystified: Getting Started with Amazon Route 53, featuring Warner Bros. Entertainment (NET202)

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

November 30, 2016

NET202

DNS DemystifiedGetting Started with Amazon Route 53,

Featuring Warner Bros. Entertainment

Sean Meckley, Sr. Product Manager, Amazon Route 53

Vahram Sukyas, Vice President, Application Infrastructure & Operations, Warner Bros. Entertainment

What to expect from the session

• What is DNS? (in under 5 minutes)

• Step-by-step: setting up DNS for a basic web application

• Improving availability and performance with advanced

DNS features

• Strategies for migrating multiple domains to Amazon

Route 53

• Real-world migration example: Warner Bros.

Entertainment

What is DNS? (in under 5 minutes)


Your web server


Your web server

IP address: 1.2.3.4


Your web server

IP address: 1.2.3.4

www.example.com


Your web server

IP address: 1.2.3.4


Your web server

IP address: 1.2.3.4


http://www.example.com

Your web server

IP address: 1.2.3.4


ISP’s DNS

Resolver

Your web server

IP address: 1.2.3.4

www.example.com?


ISP’s DNS

Resolver

Root name server

Your web server

IP address: 1.2.3.4

www.example.com?

www.example.com?


ISP’s DNS

Resolver

Root name server

Name server for .com

Your web server

IP address: 1.2.3.4

www.example.com?

this name server knows about .comwww.example.com?


ISP’s DNS

Resolver

Root name server


Your web server

IP address: 1.2.3.4

www.example.com?

this name server knows about .com

www.example.com?

www.example.com?


ISP’s DNS

Resolver

Root name server


Your web server

IP address: 1.2.3.4

Name server for

example.com

www.example.com?


www.example.com?

this name server knows about

example.com

www.example.com?


ISP’s DNS

Resolver

Root name server


Your web server

IP address: 1.2.3.4

Name server for

example.com

www.example.com?


www.example.com?


example.com

www.example.com?

Q: How does .com name server know?


ISP’s DNS

Resolver

Root name server


Your web server

IP address: 1.2.3.4

Name server for

example.com

www.example.com?


www.example.com?


example.com

www.example.com?

Q: How does .com name server know?

A: Your domain name registrar updates

this info on your behalf


ISP’s DNS

Resolver

Root name server


Your web server

IP address: 1.2.3.4

Name server for

example.com

www.example.com?


www.example.com?


example.com

www.example.com?

www.example.com?


ISP’s DNS

Resolver

Root name server


Your web server

IP address: 1.2.3.4

Name server for

example.com

www.example.com?


www.example.com?


example.com

www.example.com?

I know about www.example.com!

IP address 1.2.3.4

www.example.com?


ISP’s DNS

Resolver

Root name server


Your web server

IP address: 1.2.3.4

Name server for

example.com

www.example.com?


www.example.com?


example.com

www.example.com?


IP address 1.2.3.4

www.example.com?

Q: How does Route 53 know?


ISP’s DNS

Resolver

Root name server


Your web server

IP address: 1.2.3.4

Name server for

example.com

www.example.com?


www.example.com?


example.com

www.example.com?


IP address 1.2.3.4

www.example.com?

Q: How does Route 53 know?

A: You’ve created a hosted zone for

example.com in Route 53


ISP’s DNS

Resolver

Root name server


Your web server

IP address: 1.2.3.4

Name server for

example.com

www.example.com?


www.example.com?


example.com

www.example.com?


IP address 1.2.3.4

www.example.com?

IP: 1.2.3.4

I found an answer!

www.example.com is at the

IP address 1.2.3.4


ISP’s DNS

Resolver

Root name server


Your web server

IP address: 1.2.3.4

Name server for

example.com

www.example.com?


www.example.com?


example.com

www.example.com?


IP address 1.2.3.4

www.example.com?

IP: 1.2.3.4

HTTP request:

IP: 1.2.3.4



ISP’s DNS

Resolver

Root name server


Your web server

IP address: 1.2.3.4

Name server for

example.com

www.example.com?


www.example.com?


example.com

www.example.com?


IP address 1.2.3.4

www.example.com?

IP: 1.2.3.4

HTTP request:

IP: 1.2.3.4


Success!

What is DNS? Advantages of managed DNS

• Worldwide anycast network with redundant locations

• 100% availability SLA

• Advanced routing: LBR, Geo, WRR, Failover

• AWS integrations: Alias

• Manage via API, CLI, SDKs, AWS tools, third-party tools

Step by step: DNS for a basic website


ISP’s DNS

Resolver

Root name server


Your web server

Name server for

example.com


ISP’s DNS

Resolver


Your web server

Name server for

example.com

Root name server

Register a domain name


ISP’s DNS

Resolver


Your web server

Root name server

Name server for

example.com


Create a hosted zone


ISP’s DNS

Resolver


Your web server

Root name server


Name server for

example.com


Create DNS records in your hosted

zone


ISP’s DNS

Resolver

Your web server

Name server for

example.com

Root name server


“Delegate” to Route 53




zone

Step by step: domain name registration

ISP’s DNS

Resolver

Root name server

Your web server

Name server for

example.com




You can do it in Route 53

You can do it elsewhere (another registrar)

We’ll show both:

• New domain name in Route 53

• Existing domain name in another registrar


Steps to register domain name in Route 53

Console screenshots





If you’ve already registered a domain name using another

registrar:

• We’ll create a hosted zone in Route 53 and create

records in the hosted zone

• Then we’ll come back to your registrar to update name

servers to point to your Route 53 hosted zone

Domain Name: example.com


Some Other Registrar


Registrant Contact Info Domain Settings Optional Extras

Name Servers DNS Other Stuff

ns1.someexampleregistrar.com



example.com

*.example.com

foo.example.com

www.example.com

…

…

…

…

A

CNAME

A

A

1.2.3.4

example.com

3.4.5.6

1.2.3.4

…

…

…

…

…

…

…

…

…

…

…

…









example.com

*.example.com

foo.example.com

www.example.com

…

…

…

…

A

CNAME

A

A

1.2.3.4

example.com

3.4.5.6

1.2.3.4

…

…

…

…

…

…

…

…

…

…

…

…

Step by step: create a hosted zone

ISP’s DNS

Resolver

Root name server


Your web server

Name server for

example.com



zone


If you registered a new domain name in Route 53, we’ve

created a hosted zone for you.

Here’s how to find it in the console.









To create a hosted zone for an existing domain name:



Step by step: point records at your server

Root domain (example.com) vs. subdomain

(www.example.com)

Wildcard record – will respond to any unmatched subdomains

Let’s create records for example.com and www.example.com

and point them both at your web server









AWS resources you can create alias records for:

• Elastic Load Balancing

• AWS Elastic Beanstalk

• Amazon CloudFront*

• Amazon S3 website*

* DNS name must exactly match CloudFront alternate domain name or

S3 bucket name

Step by step: create more records

MX record: for your email service

TXT records for email validation, web analytics, certificates

Step by step: delegate to the hosted zone

ISP’s DNS

Resolver

Root name server

Your web server

Name server for

example.com


Delegate to Route 53



This set of four name servers is called a delegation set.

For example:

• ns-1949.awsdns-51.co.uk

• ns-592.awsdns-09.net

• ns-317.awsdns-39.com

• ns-1158.awsdns-16.org



If your domain name is with another registrar, here’s how to

delegate to Route 53









example.com

*.example.com

foo.example.com

www.example.com

…

…

…

…

A

CNAME

A

A

1.2.3.4

example.com

3.4.5.6

1.2.3.4

…

…

…

…

…

…

…

…

…

…

…

…






ns-1949.awsdns-51.co.uk

ns-592.awsdns-09.net

ns-317.awsdns-39.com

ns-1158.awsdns-16.org

example.com

*.example.com

foo.example.com

www.example.com

…

…

…

…

A

CNAME

A

A

1.2.3.4

example.com

3.4.5.6

1.2.3.4

…

…

…

…

…

…

…

…

…

…

…

…


When you migrate between DNS providers for an existing

domain, the change can take up to 48 hours to become

fully effective.

Why? Name server DNS records are typically cached

across the global DNS system for up to 48 hours.

Step by step: recap

ISP’s DNS

Resolver

Root name server


Your web server

Name server for

example.com

Delegation: name servers for

example.com

Domain name: example.com

Hosted zone: example.com

DNS record:

www.example.com A 1.2.3.4

Step by step: recap

Let’s trace a request from client to TLD to authority (r53) to

web server

Step by step: recap

[[email protected]]$

Step by step: recap

[[email protected]]$ dig example.com

Step by step: recap

[[email protected]]$ dig example.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.45.amzn1 <<>> example.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47523

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;example.com. IN A

;; ANSWER SECTION:

example.com. 60 IN A 175.41.145.117

;; Query time: 80 msec

;; SERVER: 172.31.0.2#53(172.31.0.2)

;; WHEN: Fri Nov 11 01:48:40 2016

;; MSG SIZE rcvd: 51

Step by step: recap

[[email protected]$ dig NS example.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.45.amzn1 <<>> NS example.com


;; Got answer:




;example.com. IN NS

;; ANSWER SECTION:

example.com. 3600 IN NS ns-1795.awsdns-32.co.uk.

example.com. 3600 IN NS ns-21.awsdns-02.com.

example.com. 3600 IN NS ns-678.awsdns-20.net.

example.com. 3600 IN NS ns-1456.awsdns-54.org.

Step by step: recap

[[email protected]$ dig NS example.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.45.amzn1 <<>> NS example.com


;; Got answer:




;example.com. IN NS

;; ANSWER SECTION:





Step by step: recap

[[email protected]$ dig example.com +trace

Step by step: recap

[[email protected]$ dig example.com +trace

. 518400 IN NS B.ROOT-SERVERS.com.

...

;; Received 508 bytes from 172.31.0.2#53(172.31.0.2) in 6 ms

com. 172800 IN NS a.gtld-servers.com.

...







example.com. 60 IN A 175.41.145.117






Getting a bit more advanced

• Private DNS in VPC

• Health checks and failover

• Multi-region scenarios: Geo and LBR

• Traffic flow

app-server-01.example.com?

IP: 10.0.1.2

Route 53 private DNS

Advanced: private DNS in VPC

Your app server

IP address: 10.0.3.4

virtual private cloud

Client: a server

in your VPC

Advanced: health checks and failover

Primary web server Backup web server

Route 53 health check


Primary web server Backup web server


Primary web server


Backup web server



Web server 1 Web server 2


Advanced: multi-region

Web server Web server

Web server

Region 1 Region 2

Region 3

Advanced: traffic flow

Advanced: traffic flow

Visit Session NET302: Managing

Global Traffic with Amazon Route

53 Traffic Flow

Real-world migration story:

Warner Bros. Entertainment

Overview

• About Warner Bros.

• Warner Bros. & AWS

• DNS setup before Route 53

• The road to Route 53

• Our results

• Next steps

About Warner Bros.

• A global leader in the creation, production, distribution,

licensing, and marketing of all forms of entertainment:

• Movies

• TV shows

• Games

• Huge portfolio of websites and internal applications

• Thousands of domains

Warner Bros. & AWS

• Multiple active projects to move applications – and even

entire data centers – to AWS

• Primary drivers for moving to AWS

• Application isolation – 150+ Accounts!

• Billing clarity

• Security

• Agility

• Long history of applications running on AWS (TMZ.com,

DramaFever, Turbine, and more!)

DNS setup before Route 53

• On-premises solution

• Bind9

• No self-service

• Poor fault tolerance

• Poor geographic distribution = poor international DNS lookup

times

• 25,000+ domains

• Some zones have over 10,000 records

• DNS without an API is misery

The road to Route 53

Problems to solve:

• Domain registration process

• Devise a scheme for reusable (and WB branded!)

delegation sets

• Find a way to import (and validate) thousands of zones

• IAM and delegating access to specific zones

• Several Route 53 default limits needed to be raised…



• Upper limit on a delegation set is 2,000

• …which means we need to migrate zones in chunks of 2,000 domains

• Our goal was to migrate 2-3 batches a week

• Write a tool to validate entire zones in Route 53 vs. Bind

• Write a tool to easily setup new domains

• Lower TTLs

• Find a tool to handle the migration: cli53 (with some custom patches)

The road to Route 53 – cli53 patches

The road to Route 53 – cli53 patches

Our results

• Migrated 25,000+ zones in < 6 weeks

• Upfront investment in automation resulted in a smooth,

error-free migration

• Ability to self-serve on zones

• Greatly reduced risk of DDoS attacks taking down DNS

• Increased performance!

Our results – DNS performance (before)

Latency in ms.

Our results – DNS performance (after)

Latency in ms.

Our results – branded delegation sets

Next steps

• Enable full self-service at the individual record level

• Leverage Route 53 advanced traffic policies

• Leverage Route 53 health checks

• Cleanup “legacy” (invalid) records

Thank you!

Remember to complete

your evaluations!

Amazon Route 53 survey

Give us your feedback about Route 53’s features and

usability at http://amzn.to/Route53_200

Meet the Route 53 team and get Route 53 swag at the

Networking, Content Delivery, & Media Solutions booth.

http://amzn.to/Route53_200

Related Sessions

NET201 Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options

NET401 Another Day, Another Billion Packets

NET305 Extending Datacenters to the Cloud: Connectivity Options and Considerations for

Hybrid Environments

NET302 Global Traffic Management with Amazon Route 53 Traffic Flow

NET304 Moving Mountains: Netflix's Migration into VPC

NET402 Deep Dive: AWS Direct Connect and VPNs

NET403 Elastic Load Balancing Deep Dive and Best Practices

NET203 From EC2 to ECS: How Capital One uses Application Load Balancer Features to

Serve Traffic at Scale

NET303 NextGen Networking: New Capabilities for Amazon’s Virtual Private Cloud

AWS re:Invent 2016: DNS Demystified: Getting Started with Amazon Route 53, featuring Warner Bros. Entertainment (NET202)

Technology