By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Should a non-public RDS instance have a publicly resolvable DNS name?

1

So, I spun up a RDS PostgreSQL database instance, and chose the 'Not Public' option. The instance was created with DNS name: pg-rds-db-instance-1.caqxluy95kpl.us-east-1.rds.amazonaws.com

Since this is not a public instance, I would expect that the DNS name is not publicly resolvable. However this is not the case. I can do a DNS lookup using multiple public websites such as MXTOOLBOX or https://toolbox.googleapps.com/apps/dig/#A/, and the DNS name resolves to an IP in my private subnet (172.16.4.87). This seems odd to me.

Is this expected behavior?

Topics
DatabaseMigration & ModernizationAnalytics
Tags
PostgreSQLAmazon Relational Database Service
Language
English
AspiE
asked 2 years ago1689 views
1 Answer
2

Yes, this is the expected behavior. Or at least this is how most AWS resources handler resolving their name.

It is seems like a security risk because a hacker seems to be able to find out information about the internal workings of your infrastructure but that is not necessarily the case.

You have to realize that the returned IP address is from private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). These IP address ranges wil not resolve to anything when used on the internet. Pinging or tunneling to them does not work.

So the only thing exposed is something of your internal infrastructure. But you have to realize that a abuser has to know the name of the resource before he can find out the internal IP address. So the only thing you have to do is keep the name a secret as you would do with other sensitive information.

profile picture
JaccoPK
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content