diff --git a/aws/documentation/dns/README.md b/aws/documentation/dns/README.md index 7261a90f..a22294b8 100644 --- a/aws/documentation/dns/README.md +++ b/aws/documentation/dns/README.md @@ -349,6 +349,84 @@ This is handled in the [example baseline code](https://github.e.it.census.gov/te For the most part, we leave the code as is, editing only `locals.tf`, and then apply. This creates VPC associations to the zones found in SSM Parameters under `/enterprise/vpc-endpoints/REGION`. It uses the `route53-zone-association/vpc` described above. +To get information about a specific VPC endpoint, you may query DNS. You will want to look at a `TXT` record for the endpoint DNS entry. This must use the AWS DNS server. +From within any AWS VPC, you can execute the dig command as follows: + +```console +% dig in any execute-api.us-gov-west-1.amazonaws.com +; <<>> DiG 9.11.36-RedHat-9.11.36-16.el8_10.2 <<>> @10.189.76.245 in any execute-api.us-gov-west-1.amazonaws.com +; (1 server found) +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13052 +;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 13 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 4096 +;; QUESTION SECTION: +;execute-api.us-gov-west-1.amazonaws.com. IN ANY + +;; ANSWER SECTION: +execute-api.us-gov-west-1.amazonaws.com. 60 IN A 10.189.108.245 +execute-api.us-gov-west-1.amazonaws.com. 60 IN A 10.189.109.61 +execute-api.us-gov-west-1.amazonaws.com. 60 IN A 10.189.110.31 +execute-api.us-gov-west-1.amazonaws.com. 172800 IN NS ns-0.awsdns-us-gov-00.com. +execute-api.us-gov-west-1.amazonaws.com. 172800 IN NS ns-1024.awsdns-us-gov-00.org. +execute-api.us-gov-west-1.amazonaws.com. 172800 IN NS ns-1536.awsdns-us-gov-00.us. +execute-api.us-gov-west-1.amazonaws.com. 172800 IN NS ns-512.awsdns-us-gov-00.net. +execute-api.us-gov-west-1.amazonaws.com. 900 IN SOA ns-0.awsdns-us-gov-00.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 +execute-api.us-gov-west-1.amazonaws.com. 900 IN TXT "heritage=terraform,terraform/account_id=057405694017,terraform/region=us-gov-west-1,terraform/vpce_id=vpce-0ca8605d18c21d901,terraform/create_time=1681302584" + +;; ADDITIONAL SECTION: +ns-0.awsdns-us-gov-00.com. 60 IN A 10.189.109.61 +ns-0.awsdns-us-gov-00.com. 60 IN A 10.189.110.31 +ns-0.awsdns-us-gov-00.com. 60 IN A 10.189.108.245 +ns-1024.awsdns-us-gov-00.org. 60 IN A 10.189.108.245 +ns-1024.awsdns-us-gov-00.org. 60 IN A 10.189.109.61 +ns-1024.awsdns-us-gov-00.org. 60 IN A 10.189.110.31 +ns-1536.awsdns-us-gov-00.us. 60 IN A 10.189.110.31 +ns-1536.awsdns-us-gov-00.us. 60 IN A 10.189.108.245 +ns-1536.awsdns-us-gov-00.us. 60 IN A 10.189.109.61 +ns-512.awsdns-us-gov-00.net. 60 IN A 10.189.110.31 +ns-512.awsdns-us-gov-00.net. 60 IN A 10.189.108.245 +ns-512.awsdns-us-gov-00.net. 60 IN A 10.189.109.61 + +;; Query time: 21 msec +;; SERVER: 10.189.76.245#53(10.189.76.245) +;; WHEN: Fri Jan 17 11:18:05 EST 2025 +;; MSG SIZE rcvd: 699 +``` + +If you are OUTSIDE of an AWS VPC (on prem), you must refrence one of the [AWS Route53 Inbound Endpoints](#inbound--ent-gov-internal) from the `network-prod` account. Here is one +example: + +```console +% dig @10.189.76.245 in any execute-api.us-gov-west-1.amazonaws.com +``` + +This will return the same `dig` output as above. + +In the `dig` output, you see a TXT record, with what we call _heritage_ information. + +``` +execute-api.us-gov-west-1.amazonaws.com. 900 IN TXT "heritage=terraform,terraform/account_id=057405694017,terraform/region=us-gov-west-1,terraform/vpce_id=vpce-0ca8605d18c21d901,terraform/create_time=1681302584" +``` + +This breaks down as + +* heritage = terraform + * created by terraform +* terraform/account_id = 057405694017 + * The AWS Account where this was created + * This is ent-gov-network-prod +* terraform/region = us-gov-west-1 + * The AWS region where this was created +* terraform/vpce_id = vpce-0ca8605d18c21d901 + * The VPC Endpoint ID of this particualr endpoint (execute-api) +* terraform/create_time = 1681302584 + * The Unix timestamp when this entry was created + * Wed Apr 12 08:29:44 EDT 2023 + # Logging DNS query logging is handled per region per account. These logs are JSON formatted CloudWatch log entries. The intention is to consume them in Splunk, @@ -398,8 +476,10 @@ to map a zone apex to a resource such as an ALB. This is due to the inability to - added TOC, reference to cleanup * 1.0.10 -- 2023-10-26 - added table of inbound, outbound route53 endpoints for dmz-network-prod +* 1.0.11 -- 2025-01-17 + - add details on how to get details from DNS on vpc endpoints ## Metadata -Version: 1.0.10 -Last Updated: 2023-6h +Version: 1.0.11 +Last Updated: 2025-01-17