5

I'm using an AWS Elasticache server example.foo.euw1.cache.amazonaws.com which I want nginx to be able to use in a location directive (this is just a simplistic example):

location /cached {
  set $memcached_key $uri;
  memcached_pass  example.foo.euw1.cache.amazonaws.com:11211;
  try_files $uri =404;
}

Because Elasticache node IP addresses can change, I don't want to use the current IP address of example.foo.euw1.cache.amazonaws.com.

What resolver IP should I use to get AWS internal IP addresses (10.x) instead of the public facing versions (79.x)?

On the machine that nginx is running on, I can mimic this with these host calls:

$ host example.foo.euw1.cache.amazonaws.com
$ 10.120.40.80
$ # ^^^ that's the correct internal address I want to use
$
$ host example.foo.euw1.cache.amazonaws.com 8.8.4.4
$ 79.125.100.150
$ # ^^^ that's the public IP that I don't want to use

For instance, if I use the Google public DNS with the resolver, I'll get 79.x addresses and not the 10.x ones I want:

location /cached {
  resolver 8.8.4.4 ipv6=off valid=5m;
  set $memcached_key $uri;
  memcached_pass  example.foo.euw1.cache.amazonaws.com:11211;
  try_files $uri =404;
}

I can't use 127.0.0.1 as I'm not running my own DNS server.

dig +trace example.foo.euw1.cache.amazonaws.com

gives this trace;

dig +trace example.foo.euw1.cache.amazonaws.co

; <<>> DiG 9.3.4 <<>> +trace example.foo.euw1.cache.amazonaws.co
;; global options:  printcmd
.                       518400  IN      NS      L.ROOT-SERVERS.NET.
.                       518400  IN      NS      M.ROOT-SERVERS.NET.
.                       518400  IN      NS      A.ROOT-SERVERS.NET.
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
.                       518400  IN      NS      C.ROOT-SERVERS.NET.
.                       518400  IN      NS      D.ROOT-SERVERS.NET.
.                       518400  IN      NS      E.ROOT-SERVERS.NET.
.                       518400  IN      NS      F.ROOT-SERVERS.NET.
.                       518400  IN      NS      G.ROOT-SERVERS.NET.
.                       518400  IN      NS      H.ROOT-SERVERS.NET.
.                       518400  IN      NS      I.ROOT-SERVERS.NET.
.                       518400  IN      NS      J.ROOT-SERVERS.NET.
.                       518400  IN      NS      K.ROOT-SERVERS.NET.
;; Received 228 bytes from 172.16.0.23#53(172.16.0.23) in 0 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
;; Received 503 bytes from 199.7.83.42#53(L.ROOT-SERVERS.NET) in 30 ms

amazonaws.com.          172800  IN      NS      u1.amazonaws.com.
amazonaws.com.          172800  IN      NS      u2.amazonaws.com.
amazonaws.com.          172800  IN      NS      r1.amazonaws.com.
amazonaws.com.          172800  IN      NS      r2.amazonaws.com.
;; Received 191 bytes from 192.5.6.30#53(a.gtld-servers.net) in 20 ms

euw1.cache.amazonaws.com. 300   IN      NS      ns-1439.awsdns-51.org.
euw1.cache.amazonaws.com. 300   IN      NS      ns-108.awsdns-13.com.
euw1.cache.amazonaws.com. 300   IN      NS      ns-738.awsdns-28.net.
euw1.cache.amazonaws.com. 300   IN      NS      ns-1905.awsdns-46.co.uk.
;; Received 196 bytes from 156.154.64.10#53(u1.amazonaws.com) in 12 ms

example.foo.euw1.cache.amazonaws.co. 15 IN CNAME ec2-79-125-28-100.eu-west-1.compute.amazonaws.com.
euw1.cache.amazonaws.com. 172800 IN     NS      ns-108.awsdns-13.com.
euw1.cache.amazonaws.com. 172800 IN     NS      ns-1439.awsdns-51.org.
euw1.cache.amazonaws.com. 172800 IN     NS      ns-1905.awsdns-46.co.uk.
euw1.cache.amazonaws.com. 172800 IN     NS      ns-738.awsdns-28.net.
;; Received 246 bytes from 205.251.197.159#53(ns-1439.awsdns-51.org) in 10 ms

Can I safely use one of the u1.amazonaws.com, u2.amazonaws.com, r1.amazonaws.com, r2.amazonaws.com servers?

Edit 1: doesn't look like I can, as trying to use those servers (and in fact any of the awsdns servers) with a host call either don't return addresses or return 5(REFUSED).

Edit 2 ah, if I dig around in the DHCP assigned data I can see the IP address I need to use:

$ grep domain-name-servers /var/lib/dhcp3/dhclient.*
$ /var/lib/dhcp3/dhclient.eth0.leases:  option domain-name-servers 172.16.0.23;

And then using that 172.16.0.23 address in a host call correctly returns the internal 10.x address.

This still feels a bit brittle because that DHCP assigned name server could change...

jaygooby
  • 295
  • 1
  • 2
  • 12

1 Answers1

20

In a VPC, use 169.254.169.253.

This is the same as using the CIDR base + 2 address that is assigned by DHCP, but more portable because it doesn't depend on the IP numbering of the VPC where the machine happens to be deployed. You can deploy the same configuration in any VPC in any AWS region and this address will always be a working internal DNS resolver.

If [enableDnsSupport] is true, queries to the Amazon provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of the VPC IPv4 network range plus two will succeed.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-dns.html#vpc-dns-support

For instances in EC2-Classic, even though the DNS resolver is provided by DHCP, it never changes. It's always 172.16.0.23.

Amazon provides a DNS server that resolves Amazon-provided IPv4 DNS hostnames to IPv4 addresses. In EC2-Classic, the Amazon DNS server is located at 172.16.0.23.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#amazon-dns-server

Michael - sqlbot
  • 21,988
  • 1
  • 57
  • 81
  • Thanks, but I get a `connection timed out` error when I try to use that IP as the resolver. The machine I'm calling it from is using ClassicLink to connect to the VPC, so perhaps that's an issue? And I'm in eu-west-1 if that matters? – jaygooby Sep 26 '17 at 14:38
  • Ah, *if enableDnsSupport is true*. Let me go check that... – jaygooby Sep 26 '17 at 14:45
  • Yep, those are enabled, but it looks like ClassicLink might be the issue. Currently the VPC has `ClassicLink DNS Support = no`. I don't want to enable it right now: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/vpc-classiclink.html#classiclink-enable-dns-support but I will do and will let you know how I get on :) – jaygooby Sep 26 '17 at 14:53
  • @jaygooby sorry, I assumed you were in a VPC. Updated the answer with information relevant to EC2-Classic. You can safely use the address you're seeing, now. – Michael - sqlbot Sep 26 '17 at 17:26