Amazon Route 53 China 之 白标签NS (Name Server)
在国内,我们常使用的DNS解析托管服务商有DNSPod、阿里云(万网)等。比如以下这个例子
$ dig qidian.com NS
; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> qidian.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3496
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;qidian.com. IN NS
;; ANSWER SECTION:
qidian.com. 86400 IN NS ns4.dnsv4.com.
qidian.com. 86400 IN NS ns3.dnsv4.com.
;; Query time: 226 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Aug 01 19:03:39 CST 2021
;; MSG SIZE rcvd: 81
可以看出,对于qidian.com来说,如果想获得子域的解析,可以直接向ns*.dnsv4.com发起请求。通过查询可知,以上权威DNS是DNSPod提供的。
同时,我们也常常在一些互联网大厂的DNS中发现这种情形
$ dig qq.com NS
; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> qq.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 425
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;qq.com. IN NS
;; ANSWER SECTION:
qq.com. 47533 IN NS ns3.qq.com.
qq.com. 47533 IN NS ns4.qq.com.
qq.com. 47533 IN NS ns1.qq.com.
qq.com. 47533 IN NS ns2.qq.com.
;; Query time: 1 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Aug 01 19:13:00 CST 2021
;; MSG SIZE rcvd: 107
qq.com的解析需要向ns1.qq.com来查询,然而ns1.qq.com又是qq.com的子域,这貌似形成了一个循环。
这就是本文所谈及的,NS的域与托管的域相同,这种NS一般被称作白标签(White-label) NS,或者称作虚(Vanity) NS。
可能要问了,它有什么好处呢?看起来更专业:)
国内DNS解析托管服务商通常不提供这种服务,下面我们会将如何在亚马逊云科技所提供的Route 53 China创建托管区域并且实施白名单NS做一个记录。
1) 你需要有一个域名,比如我在NameSilo购入了一个域名,sean-aws.xyz,其NS默认设置如下,ns*.dnsowl.com是NameSilo的默认NS
$ dig sean-aws.xyz NS
; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> sean-aws.xyz NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35777
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;sean-aws.xyz. IN NS
;; ANSWER SECTION:
sean-aws.xyz. 86400 IN NS ns3.dnsowl.com.
sean-aws.xyz. 86400 IN NS ns1.dnsowl.com.
sean-aws.xyz. 86400 IN NS ns2.dnsowl.com.
;; Query time: 387 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Aug 01 20:46:35 CST 2021
;; MSG SIZE rcvd: 105
2) 用以下命令创建可重用委派集(reusable delegation set),顾名思义,它可以在多个托管区域重用。
$ aws route53 create-reusable-delegation-set --caller-reference demo
{
"Location": "https://route53.amazonaws.com.cn/2013-04-01/delegationset/N0275007Y61U5W4UH13A",
"DelegationSet": {
"Id": "/delegationset/N0275007Y61U5W4UH13A",
"CallerReference": "demo",
"NameServers": [
"ns-1747.awsdns-cn-45.net",
"ns-3578.awsdns-cn-31.cn",
"ns-intl-3578.awsdns-cn-31.cn",
"ns-1009.awsdns-cn-63.com",
"ns-2315.awsdns-cn-16.biz",
"ns-intl-1009.awsdns-cn-63.com"
]
}
}
3) 记住以上的DelegationSetId,并使用如下命令创建sean-aws.xyz的托管区域,可以看到刚才的可重用委派集在这里直接使用在了托管区域上。
$ aws route53 create-hosted-zone --name sean-aws.xyz --caller-reference demo --delegation-set-id N0275007Y61U5W4UH13A
{
"Location": "https://route53.amazonaws.com.cn/2013-04-01/hostedzone/Z03262292RQU5PFGGMFYG",
"HostedZone": {
"Id": "/hostedzone/Z03262292RQU5PFGGMFYG",
"Name": "sean-aws.xyz.",
"CallerReference": "demo",
"Config": {
"PrivateZone": false
},
"ResourceRecordSetCount": 2
},
"ChangeInfo": {
"Id": "/change/C02191583TQILEZY84OCK",
"Status": "PENDING",
"SubmittedAt": "2021-08-01T11:57:11.006000+00:00"
},
"DelegationSet": {
"Id": "/delegationset/N0275007Y61U5W4UH13A",
"CallerReference": "demo",
"NameServers": [
"ns-1747.awsdns-cn-45.net",
"ns-3578.awsdns-cn-31.cn",
"ns-intl-3578.awsdns-cn-31.cn",
"ns-1009.awsdns-cn-63.com",
"ns-2315.awsdns-cn-16.biz",
"ns-intl-1009.awsdns-cn-63.com"
]
}
}
4) 获取NS的IP地址,可以通过如下方式获得
$ dig ns-1747.awsdns-cn-45.net +short
52.82.182.211
重复这个动作,我们可以得到如下表格,
NS | IP |
---|---|
ns-1747.awsdns-cn-45.net | 52.82.182.211 |
ns-3578.awsdns-cn-31.cn | 54.222.37.250 |
ns-intl-3578.awsdns-cn-31.cn | 52.46.181.250 |
ns-1009.awsdns-cn-63.com | 52.82.179.241 |
ns-2315.awsdns-cn-16.biz | 54.222.33.11 |
ns-intl-1009.awsdns-cn-63.com | 52.46.187.241 |
这里需要注意的是,Route 53 China和Global不同,Global采用了Anycast并且每个NS都有IPv6,而China没有Anycast同时NS也没有提供IPv6,对以上内容分析,我们可以得出,Route 53 China给的六个IP,2个是北京区域,2个是宁夏区域,还有两个则是AWS Global。
5) 根据第四步获得的IP,我们可以在托管区域内创建以下记录,假设目标用户主要在国内,我们以北京做为ns1,宁夏做为ns2,国际做为ns3
A | IP |
---|---|
ns1.sean-aws.xyz | 54.222.37.250 54.222.33.11 |
ns2.sean-aws.xyz | 52.82.182.211 52.82.179.241 |
ns3.sean-aws.xyz | 52.46.181.250 52.46.187.241 |
A记录,采用NS典型TTL 172800 (2天),可以得到以下json文件,命名为ns-records.json。
{
"Comment": "add ns records",
"Changes": [
{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "ns1.sean-aws.xyz",
"Type": "A",
"TTL": 172800,
"ResourceRecords": [
{
"Value": "54.222.37.250"
},
{
"Value": "54.222.33.11"
}
]
}
},
{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "ns2.sean-aws.xyz",
"Type": "A",
"TTL": 172800,
"ResourceRecords": [
{
"Value": "52.82.182.211"
},
{
"Value": "52.82.179.241"
}
]
}
},
{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "ns3.sean-aws.xyz",
"Type": "A",
"TTL": 172800,
"ResourceRecords": [
{
"Value": "52.46.181.250"
},
{
"Value": "52.46.187.241"
}
]
}
}
]
}
然后我们可以添加这些记录
$ aws route53 change-resource-record-sets --hosted-zone-id Z03262292RQU5PFGGMFYG --change-batch file://ns-records.json
{
"ChangeInfo": {
"Id": "/change/C021041031NI8B2MHPTA6",
"Status": "PENDING",
"SubmittedAt": "2021-08-01T13:15:08.099000+00:00",
"Comment": "add ns records"
}
}
这里可以看到状态是Pending,我们可以通过Id确认下这个操作是否已经传播到了所有的Route 53服务器上
$ aws route53 get-change --id /change/C021041031NI8B2MHPTA6
{
"ChangeInfo": {
"Id": "/change/C021041031NI8B2MHPTA6",
"Status": "INSYNC",
"SubmittedAt": "2021-08-01T13:15:08.099000+00:00",
"Comment": "add ns records"
}
}
可以看到状态已经变成了INSYNC
6) 更新SOA和NS记录
我们先看看原来的SOA和NS记录是什么
$ aws route53 list-resource-record-sets --hosted-zone-id Z03262292RQU5PFGGMFYG
{
"ResourceRecordSets": [
{
"Name": "sean-aws.xyz.",
"Type": "NS",
"TTL": 172800,
"ResourceRecords": [
{
"Value": "ns-1747.awsdns-cn-45.net."
},
{
"Value": "ns-3578.awsdns-cn-31.cn."
},
{
"Value": "ns-intl-3578.awsdns-cn-31.cn."
},
{
"Value": "ns-1009.awsdns-cn-63.com."
},
{
"Value": "ns-2315.awsdns-cn-16.biz."
},
{
"Value": "ns-intl-1009.awsdns-cn-63.com."
}
]
},
{
"Name": "sean-aws.xyz.",
"Type": "SOA",
"TTL": 900,
"ResourceRecords": [
{
"Value": "ns-1747.awsdns-cn-45.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400"
}
]
}
]
}
这是我们便可以把NS记录替换为我们创建的三个NS,同时将SOA最前面的域名替换为第一个NS,可以构建如下json,命名为ns-n-soa.json
{
"Comment": "update NS and SOA records",
"Changes": [
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "sean-aws.xyz.",
"Type": "NS",
"TTL": 172800,
"ResourceRecords": [
{
"Value": "ns1.sean-aws.xyz."
},
{
"Value": "ns2.sean-aws.xyz."
},
{
"Value": "ns3.sean-aws.xyz."
}
]
}
},
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "sean-aws.xyz.",
"Type": "SOA",
"TTL": 900,
"ResourceRecords": [
{
"Value": "ns1.sean-aws.xyz. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400"
}
]
}
}
]
}
然后应用这个json
$ aws route53 change-resource-record-sets --hosted-zone-id Z03262292RQU5PFGGMFYG --change-batch file://ns-n-soa.json
{
"ChangeInfo": {
"Id": "/change/C08509841RLAAP1ULRO0N",
"Status": "PENDING",
"SubmittedAt": "2021-08-01T13:26:18.509000+00:00",
"Comment": "update NS and SOA records"
}
}
7) 经过已经上步骤,Route 53侧的配置就已经结束了。我们需要将NS配置到域名上,这通常在域名注册商更改,对于一般的NS(类似于起点那种,使用非自己域的NS),我们直接在注册商更新NS记录即可,但是对于白标签NS,我们还需要在注册商做NS和IP的绑定,即胶水记录(glue records)。
对于NameSilo,首先我们更新NS,点击View/Manage Registered NameServers
将记录都添加到NameSilo
然后再更新NameSilo,NS的更新需要更长的时间才能传播到更多的服务器上,最终如下
等待一些时间,我们也可以使用dig来验证一下。
$ dig sean-aws.xyz NS @8.8.8.8 +tcp
; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> sean-aws.xyz NS @8.8.8.8 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55451
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;sean-aws.xyz. IN NS
;; ANSWER SECTION:
sean-aws.xyz. 21599 IN NS ns1.sean-aws.xyz.
sean-aws.xyz. 21599 IN NS ns2.sean-aws.xyz.
sean-aws.xyz. 21599 IN NS ns3.sean-aws.xyz.
;; Query time: 148 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 01 21:51:47 CST 2021
;; MSG SIZE rcvd: 95
DNS解析服务是网站的基础设施,我们建议在一开始就完成搭建,如果是从其他服务商迁移到Route 53还好,若是已经存在Route 53托管区域了,又想使用白标签NS,则流程上就变得更加复杂了,而且还存在解析中断的风险。
参考资料:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/white-label-name-servers.html