By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

Route 53: Getting bombarded with redundant DNS queries for a deleted host

0

5 days into this billing cycle, and my Route 53 zone has received over 33 million requests for a particular host that I recently deleted. And the associated DNS record was deleted too. I didn't think I would get billed for a deleted host record, but indeed I am according to the billing dashboard. Some initial query logging suggests that there are clients making many redundant requests for this deleted hostname.

I will most likely add back a record that resolves to 127.0.0.1 with a multi-day TTL. That might make whatever code that's repeating the request to stop asking (as much). But excessive and redundant DNS queries has always been a costly problem that I never could get a handle on. I've dealt with the DDOS attacks on the host service for years, but I've never understood how to firewall Route 53 when these clients make redundant requests.

The ideal solution would be that Route 53 would simply ignore requests for the deleted host name (and not bill me for it).

What are my options?

Topics
Security, Identity, & ComplianceNetworking & Content DeliveryCloud Financial Management
Tags
AWS ShieldAmazon Route 53AWS BillingDDOS Protection
Language
English
jselbie
asked 23 days ago32 views
1 Answer
2

Adding dummy record with long TTL might be the easiest solution as you said. If the client don't follow TTL but keep bombing your domain, other option could be using ALIAS record. Aliases are resolved for free when certain conditions are met. If your queries are from the internet, you could use e.g. internal ELB you already have for some other purpose as alias target. Or if you don't have suitable target, create a dummy resource and block traffic with security group to avoid charges for processing requests.

https://aws.amazon.com/route53/pricing/

profile picture
Kallu
answered 23 days ago
  • jselbie 22 days ago

    The dummy record is in place and a peek in cost explorer suggests it might have reduced DNS traffic at least in half. I'll know at the end of the day how effective it was. Converting to an alias is a good idea. I have that ready to go. Thanks for the suggestion.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content