Whitelabel DNS with Amazon Route53

Question

I've searched the internet for the answer, but I can't find it and this is because DNS management is not exactly in my skillset. I want to use Amazon AWS Route53 to host a multi tenant php application with loadbalancer and ec2 insances. I currently have my domain example.com forwarded to route53 and residing in a hosted zone. This part is working fine and the domain example.com is pointing to the correct instance. However I want to create subdomains like

ns1.example.com and ns2.example.com

so that I can use them as name servers for other domains. Let's say I want to forward mydomain2.com to the loadbalancer by changing mydomain2.com's name servers to ns1.example.com and ns2.example.com. However I'm not sure how I shoud add both subdomains ns1 and ns2 and point them to the LB in the amazon Route53 gui console.

I will be thankful for any assistance.

Answer 1

I have done this, please read my article before you actually do this here:

http://neonos.net/white-labeled-dns-name-servers-on-amazon-route-53-with-delegation-sets/

The functionality has been programmed by Amazon in Nov 2014, however it has not been implemented in the web based console, hopefully they will do this soon. There is also no documentation or any articles that I could find on this topic. But I was able to do this by using AWS CLI Client, as follows:

Create your delegation set using the CLI client:

aws route53 create-reusable-delegation-set  --caller-reference MyDelegationSet

This will return something such as:

{
    "Location": "https://route53.amazonaws.com/2015-01-01/delegationset/xxx",
    "DelegationSet": {
        "NameServers": [
            "ns-xxx.awsdns-xx.com",
            "ns-xxx.awsdns-xx.co.uk",
            "ns-xxx.awsdns-xx.org",
            "ns-xxx.awsdns-xx.net"
        ],
        "CallerReference": "MyDelegationSet",
        "Id": "/delegationset/XXXXXXXXXX"
    }
}

Once you have created the reusable delegation set, you will need to create the hosted zone using the CLI client which will allow you to associate the new zone with the delegation set created above.

aws route53  create-hosted-zone --delegation-set-id /delegationset/XXXXXXXX --name mydomain.tld --caller-reference UNIQUEREFERENCEID

Using the list of name servers found in the output, ping each server to obtain the IP address. Use the IP addresses to create the glue records in the parent zone (using A records). I recommend shorter TTLs in case Amazon informs of IP changes to dns zones. I called mine route531.mydomain.com, route532... etc.

Now update your domain nameservers at the registrar, then update your Route53 to include those nameservers as Authoritative nameservers as well.

---

More Info:

Amazon claims that this can be done to white label these nameservers without any further reference.

"This feature also makes it possible for you to create “white label” name server addresses such as ns1.example.com, ns2.example.com, etc., which you can point to your Route 53 name servers. You can then use your "white label" name server addresses as the authoritative name servers for as many of your domain names as desired." --SeanM@AWS

https://forums.aws.amazon.com/ann.jspa?annID=2733

---

The problem is that Amazon also says that they can not guarantee the IP's of the nameservers not changing.

https://forums.aws.amazon.com/thread.jspa?messageID=474708

"We do promise that the DNS names of your Route 53 nameservers will not change, but we can't make the same guarantee about their IP addresses. If they were to change in the future, your DNS could silently break if you used them in this unsupported way." -- DavidR@AWS Jan 25, 2011

Before you freak out this might help you feel better:

Some registrars only allow you to specify name servers using IP addresses; they don't allow you to specify fully qualified domain names. If your registrar requires using IP addresses, you can get the IP addresses for your name servers using the dig utility (for Mac, Unix, or Linux) or the nslookup utility (for Windows). We rarely change the IP addresses of name servers; if we need to change IP addresses, we'll notify you in advance. http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/SOA-NSrecords.html

Keep in mind it is a bad idea to create CNAME records with your own domain for each of the nameservers, even though this in theory would solve the change of IP issue it is a bad idea:

NS records pointing to a CNAME is bad and may conflict badly with current BIND servers. In fact, current BIND implementations will ignore such records, possibly leading to a lame delegation. There is a certain amount of security checking done in BIND to prevent spoofing DNS NS records. Also, older BIND servers reportedly will get caught in an infinite query loop trying to figure out the address for the aliased nameserver, causing a continuous stream of DNS requests to be sent. --RFC1912

http://www.faqs.org/rfcs/rfc1912.html

Answer 2

Supposedly this is supported now

https://aws.amazon.com/blogs/aws/route-53-update-private-dns-more

Reusable Delegation Sets When you use Route 53 to host DNS for a domain, it sets up four authoritative name servers collectively known as a delegation set. As part of today's release we are simplifying domain management by allowing you to use the same delegation set for any number of your domains. This is a somewhat advanced, API-only feature that can prove to be useful in a couple of different ways:

If you are moving a large group of domains from another provider to Route 53, you can provide them with a single list of four name servers and have them applied to all of the domains that you are moving. You can create generic "white label" name servers such as ns1.example.com and ns2.example.com, use them in your delegation set, and point them to your actual Route 53 name servers.