Route53 to replace MS AD DNS

0

A customer is running their Active Directory DC on EC2 and DNS services on the same domain controller, now they are assessing migrating the DNS service from DC EC2 to Route53 and are asking if there will be missing any gap in features (like kerberos, srv, etc..), I am looking for any previous experience in moving AD DNS to route53 and if we have any assessment/comparison?

asked 4 years ago350 views
1 Answer
0
Accepted Answer

Route 53 does support SRV records. A full list is here: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ResourceRecordTypes.html

Route 53 Resolver and Route 53 Private DNS are purely DNS services. These services do not implement higher level Active Directory functions like Kerberos. That said, Kerberos is known to be quite sensitive to DNS entries being set up in a certain way (eg reverse lookup matching forward name). And AD does that transparently. In principle, you should be able to create the correct view of DNS in Route 53, but that may take some effort.

One way forward is to use Route 53 Resolver (ie the VPC's .2 address) on all instances for DNS resolution. Then create an outbound endpoint in the VPC where the AD Servers are and create forwarding rules to forward only those namespaces which the AD servers directly manage (both forward and reverse probably) to the IPs of the AD servers. The result should be that all queries for instance names, Private Hosted Zones, Private Link endpoints, AWS APIs and public names are served directly by Route 53 Resolver. The AD servers will receive queries only for the names they directly manage. The customer does not have to replicate AD's DNS management in Route 53 Private DNS.

Advantages of this approach are that the Route 53 Resolver should be more highly available and scalable compared to the DNS service provided by the AD servers (which are individual instances). In the worst case, if the AD server instances were to fail, most DNS would continue to work, except for those namespaces which forward to the AD servers.

EXPERT
gavinmc
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions