1

I'm working for a startup and we're expanding into mainland China, hosting client data in a Chinese datacenter through a partner company in China. We have a website and backend API that mobile apps talk to.

Here's the thing:

Let's say we operate example.com, which is registered in the US. We use Route53 DNS to do geo-DNS, so that customers in China are automatically sent to an IP in the Chinese datacenter when asking for example.com. The Chinese IP resolves to a Chinese domain in reverse DNS.

Now our partner in China is telling us that we can't have example.com forward-DNS resolve to the IP in China. They say that a non-Chinese domain may not be served by an IP in mainland China. Is this true?

If so, what are workarounds?

I'm guessing it wouldn't be enough to just use CNAME so that srv55.example.com -> srv55.example.cn, because the DNS request would still be for srv55.example.com. Is the only solution to modify our applications / mobile app that if a phone is in China, it talks to example.cn while outside China it talks to example.com?

CDO DevOps
  • 151
  • 5
  • 2
    If such a thing were true, it would be a matter of country-specific law, not a technical matter. What did your lawyer say about this? – Michael Hampton May 17 '18 at 14:37
  • 1
    Thanks for your comment! The technical question is how I can work around it. Agree that an internet lawyer could help regarding the first question. Thanks! – CDO DevOps May 18 '18 at 01:06
  • So here's what a very smart colleague of mine suggested: register a domain in China, but manage its DNS with Route 53 globally (for flexibility and performance). Set the mobile app to connect to the Chinese domain whose only record is a CNAME that points to the international .com domain. That domain is accessed via a load balancer and geo-DNS and can send traffic to the Chinese and non-Chinese data centers. – CDO DevOps May 19 '18 at 00:32

3 Answers3

1

About a year ago I tried using a .com CNAME pointing to a CloudFront dist in CN. This worked for a few hours, and then just didn't. IIRC AWS CN now does an ICP check themselves, so they possibly preemptively disable it. This puts a thorn in

  1. Users inside China accessing www.example.com

https://aws.amazon.com/blogs/networking-and-content-delivery/optimizing-performance-for-users-in-china-with-amazon-route-53-and-amazon-cloudfront/

Also, cross-boundry DNS still happens here:( and since it does anyway, the suggestion above of managing the CN domain in global R53 and just using that (perhaps with geo-DNS) is interesting.

This may raise questions to users seeing a .cn used globally, though should resolve to global CF endpoints anyway. Alternatively, native application logic could solve this, more challenging for a web-app though..

ruZZ il
  • 11
  • 1
1

This answer above is technically correct, however you need to understand the risks with this solution.

Public facing websites in China require an ICP recordal and to register a recordal, the domain needs to be registered via a local DNS registrar - Hence the requirement not to use your .com domain which is likely registered with a non-Chinese DNS registrar.

By directing a non ICP'ed domain to a Chinese IP address, you are risking the IP address getting blocked.

Ittai
  • 11
  • 2
0

Use your route53 account to route/url rewrite the Chinese IP to the Chinese domain name ?

srv55.example.com >> srv55.example.cn >> Chinese IP

Ref: Is there a way to redirect a domain to another domain using Amazon S3 and Amazon Route 53?

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
  • Thanks for this suggestion. I'll have to see if it will work with the full-scale rest API that we're running. – CDO DevOps May 19 '18 at 00:29