By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Best-Practice for Reverse DNS (on non-octet boundaries)

0

Target setup:

  • We have a /12 CIDR range assigned to AWS, e.g. 10.200.0.0/12
  • All other ranges from 10.0.0.0/8 belong to on-premise
  • That means we have IP range for AWS on non-octet boundaries
  • We need to setup Reverse DNS and conditional forward, so that both, AWS and On-Prem, can do Reverse DNS lookups inside each location and cross location
  • I am not taking about Reverse DNS for Elastic IPs, but for all servers / resources in AWS (e.g. for Kerberos and others)
  • We followed guidance from this fantastic re:invent video: https://youtu.be/_Z5jAs2gvPA?t=1743

Issue:

  • The number of FORWARD Rules seems to be A LOT when using a /12 for AWS
  • OPTION A: Having a PHZ for 200.10.in-addr.arpa. works for the 10.200.0.0/16, BUT that would require me to set up 16 PHZ for reverse DNS + a FORWARD Rule for 10.in-addr.arpa. to On-Prem
  • OPTION B: Having a PHZ for 10.in-addr.arpa. works for whole AWS environment, BUT that would require me to set up 240 FORWARD rules to On-PREM
  • Any guidance on this? https://www.ietf.org/rfc/rfc2317.txt only applies to <256 addresses

Request:

  • Looking for any Best-Practice reg. FORWARD Rules / PHZ, official documentation on AWS that I found is rather thin. Any hints for this setup / further read / any guidance? Thanks a lot in advance!
Topics
Networking & Content Delivery
Tags
Amazon VPCNetworking & Content DeliveryAmazon Route 53
Language
English
Andre
asked 14 days ago297 views
1 Answer
1
Accepted Answer

You can still just create a rule for 10.0.0.0/8 and forward to on prem still. You only need the one rule for 10.in-addr.arpa which will cover any PTR zone in the /8.

Your on prem DNS Servers will still correctly respond..

Would that be an issue for you?

profile picture
EXPERT
Gary Mclean
answered 12 days ago
profile picture
EXPERT
Osvaldo Marte
reviewed 9 days ago
  • Andre
    12 days ago

    Hi Gary, that would would for On-Prem servers. For Reverse DNS INSIDE AWS I would need 16 PHZ then, correct? 1) 200.10.in-addr.arpa., 2) 201.10.in-addr.arpa., 3) 202.10.in-addr.arpa. etc. That would be Option A of my description. Is this best practice? Then for each A record in AWS I would need to find the right PHZ to implement the PTR record.

  • Gary Mclean EXPERT
    12 days ago

    Im pretty sure a single rule would work.. In route 53 create a rule just for 10.in-addr.arpa and forward to on prem

  • Andre
    11 days ago

    You mean to say best practice would be Option A of my initial description? That means: 1 FORWARD Rule to On-Prem, AND 16 Private Hosted Zones to allow Reverse DNS inside AWS environment (10.200.0.0/12).

  • Gary Mclean EXPERT
    10 days ago

    Im saying 1 rule and 1 PHZ for 10.in-addr.arpa You dont need to have a different PHZ for every subnet your creating. You have all your PTR records in the one 10.in-addr.arpa as its a CLASS A

  • Andre
    5 days ago

    Hi Gary, You are describing OPTION B of my initial post then. Indeed this is the way we have implemented the setup right now. Challenge with OPTION B is that we need to have 240 * FORWARD rules due to our setup. Context: You can only delegate on octet borders. Having a /12 for our AWS environment means we need to implement a FORWARD rule for all /16 in the 10. range (=240* /16), except for our /12 (=16* /16). Thanks for sharing your view!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content