Amazon EC2 serves Split DNS

Sun 07 May 2017

The very long DNS names AWS gives you for static IPs resolve public IPs for external requests and internal IPs for internal requests.

How we got here

Way back when I first set up machines in AWS, I put the external IPs they gave us in as A records in our DNS. I added the internal IP of each machine that needed to speak to each other. For some reason, this worked.

One day, it broke. I don't know what happened, but they just stopped talking to each other. I fixed this by replacing the internal IPs with external IPs in the security group.

Eventually, we hit the limit of entries in a security group. Ugh.

Split DNS

Split DNS is a feature of DNS servers that allows them to return one set of records for some requests, and a different set of records to others. The most common implementation is serving private IPs for a web service to users inside the corporate firewall and public IPs to everyone else.

An example

Here's what an assigned IP looks like in my account: elastic IP assigned to an instance

You can see the public IP has the dns name and is assigned to the private IP

From my house, I resolve the external IP: nslookup resolving external IP

From inside the VPC(actually, from the box this IP is assigned to), it instead resolves the local IP: nslookup resolving internal IP

Taking advantage of Split DNS

Thanks, now what?

If you're always using the external IP, you're sending traffic out your virtual router and back in(sometimes called hairpin-ing). Using the internal IP keeps that traffic on the internal network.

You can use those very long DNS names everywhere, but they are no fun to type. Instead, we now put those DNS names in as CNAME records.

This gives you both (probably shorter) friendly names and proper DNS resolution.