Skip to content

Commit

Permalink
add details on getting endpoint details from dns
Browse files Browse the repository at this point in the history
  • Loading branch information
@badra001
badra001 committed Jan 17, 2025
1 parent fc0964a commit d322bb9
Showing 1 changed file with 82 additions and 2 deletions.
84 changes: 82 additions & 2 deletions aws/documentation/dns/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -349,6 +349,84 @@ This is handled in the [example baseline code](https://github.e.it.census.gov/te
For the most part, we leave the code as is, editing only `locals.tf`, and then apply. This creates VPC associations to the zones found in SSM Parameters
under `/enterprise/vpc-endpoints/REGION`. It uses the `route53-zone-association/vpc` described above.

To get information about a specific VPC endpoint, you may query DNS. You will want to look at a `TXT` record for the endpoint DNS entry. This must use the AWS DNS server.
From within any AWS VPC, you can execute the dig command as follows:

```console
% dig in any execute-api.us-gov-west-1.amazonaws.com
; <<>> DiG 9.11.36-RedHat-9.11.36-16.el8_10.2 <<>> @10.189.76.245 in any execute-api.us-gov-west-1.amazonaws.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13052
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;execute-api.us-gov-west-1.amazonaws.com. IN ANY

;; ANSWER SECTION:
execute-api.us-gov-west-1.amazonaws.com. 60 IN A 10.189.108.245
execute-api.us-gov-west-1.amazonaws.com. 60 IN A 10.189.109.61
execute-api.us-gov-west-1.amazonaws.com. 60 IN A 10.189.110.31
execute-api.us-gov-west-1.amazonaws.com. 172800 IN NS ns-0.awsdns-us-gov-00.com.
execute-api.us-gov-west-1.amazonaws.com. 172800 IN NS ns-1024.awsdns-us-gov-00.org.
execute-api.us-gov-west-1.amazonaws.com. 172800 IN NS ns-1536.awsdns-us-gov-00.us.
execute-api.us-gov-west-1.amazonaws.com. 172800 IN NS ns-512.awsdns-us-gov-00.net.
execute-api.us-gov-west-1.amazonaws.com. 900 IN SOA ns-0.awsdns-us-gov-00.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
execute-api.us-gov-west-1.amazonaws.com. 900 IN TXT "heritage=terraform,terraform/account_id=057405694017,terraform/region=us-gov-west-1,terraform/vpce_id=vpce-0ca8605d18c21d901,terraform/create_time=1681302584"

;; ADDITIONAL SECTION:
ns-0.awsdns-us-gov-00.com. 60 IN A 10.189.109.61
ns-0.awsdns-us-gov-00.com. 60 IN A 10.189.110.31
ns-0.awsdns-us-gov-00.com. 60 IN A 10.189.108.245
ns-1024.awsdns-us-gov-00.org. 60 IN A 10.189.108.245
ns-1024.awsdns-us-gov-00.org. 60 IN A 10.189.109.61
ns-1024.awsdns-us-gov-00.org. 60 IN A 10.189.110.31
ns-1536.awsdns-us-gov-00.us. 60 IN A 10.189.110.31
ns-1536.awsdns-us-gov-00.us. 60 IN A 10.189.108.245
ns-1536.awsdns-us-gov-00.us. 60 IN A 10.189.109.61
ns-512.awsdns-us-gov-00.net. 60 IN A 10.189.110.31
ns-512.awsdns-us-gov-00.net. 60 IN A 10.189.108.245
ns-512.awsdns-us-gov-00.net. 60 IN A 10.189.109.61

;; Query time: 21 msec
;; SERVER: 10.189.76.245#53(10.189.76.245)
;; WHEN: Fri Jan 17 11:18:05 EST 2025
;; MSG SIZE rcvd: 699
```

If you are OUTSIDE of an AWS VPC (on prem), you must refrence one of the [AWS Route53 Inbound Endpoints](#inbound--ent-gov-internal) from the `network-prod` account. Here is one
example:

```console
% dig @10.189.76.245 in any execute-api.us-gov-west-1.amazonaws.com
```

This will return the same `dig` output as above.

In the `dig` output, you see a TXT record, with what we call _heritage_ information.

```
execute-api.us-gov-west-1.amazonaws.com. 900 IN TXT "heritage=terraform,terraform/account_id=057405694017,terraform/region=us-gov-west-1,terraform/vpce_id=vpce-0ca8605d18c21d901,terraform/create_time=1681302584"
```

This breaks down as

* heritage = terraform
* created by terraform
* terraform/account_id = 057405694017
* The AWS Account where this was created
* This is ent-gov-network-prod
* terraform/region = us-gov-west-1
* The AWS region where this was created
* terraform/vpce_id = vpce-0ca8605d18c21d901
* The VPC Endpoint ID of this particualr endpoint (execute-api)
* terraform/create_time = 1681302584
* The Unix timestamp when this entry was created
* Wed Apr 12 08:29:44 EDT 2023

# Logging

DNS query logging is handled per region per account. These logs are JSON formatted CloudWatch log entries. The intention is to consume them in Splunk,
Expand Down Expand Up @@ -398,8 +476,10 @@ to map a zone apex to a resource such as an ALB. This is due to the inability to
- added TOC, reference to cleanup
* 1.0.10 -- 2023-10-26
- added table of inbound, outbound route53 endpoints for dmz-network-prod
* 1.0.11 -- 2025-01-17
- add details on how to get details from DNS on vpc endpoints

## Metadata

Version: 1.0.10
Last Updated: 2023-6h
Version: 1.0.11
Last Updated: 2025-01-17

0 comments on commit d322bb9

Please sign in to comment.