R53 Public and Private Hosted Zones

Ref: https://learn.cantrill.io/courses/1820301/lectures/41301579 and https://learn.cantrill.io/courses/1820301/lectures/41301580

R53 Public Hosted Zone

🔧 ZoneFile (i.e. the DNS DB) hosted by four R53-managed NSs that are publicly accessible
- Contains RRSETs of the zone
Accessibility
1. From the public internet - by walking the DNS tree
  - Client first queries DNS root servers, then TLD servers, then our R53 servers
  - NS records of the TLD point to our R53 servers
  - R53 hosted zone is connected to global DNS
2. From internal VPCs - by using R53 resolver
  - ‼️ DNS resolution must be enabled in the VPC, and VPC must be linked to the zone
  - Direct access: each resource can access NSs via the VPC+2 address in the subnet
R53 can host external ZoneFiles
- Externally registered domains can point at a public R53 hosted zone
- Example:
  1. Register a domain via Namecheap, Hover, or GoDaddy
  2. Create public hosted zone in R53 = get 4 allocated NSs for the zone
  3. Via Namecheap, Hover, or GoDaddy UI, add references to the 4 NSs hosted in R53

🔧 Hosted Zone NOT accessible from the public Internet, only from associated VPCs
Association of a VPC to the zone can be done via AWS Management Console UI, CLI, or API
- ❗ Association to a VPC in a different account is possible (only via CLI or API)
- Resources in associated VPCs can access the zone via VPC+2 address (R53 resolver), VPC must have DNS resolution enabled
- Non-associated VPCs can't access the zone

Commonly used architecture: a private zone and a public zone have the same name and an overlap of records, but sensitive records are kept safe in the private zone
- Records outside of the public zone are inaccessible from the public internet
- Common scenario: offer a public website to externals, and a private intranet to internals, both with the same URL/DNS domain