Skip to main content
Sponsor @cloudposse

Proposed: Use Private and Public Hosted Zones

Date: 11 Feb 2022

Rejected!

The proposal in this ADR was rejected! For questions, please reach out to Cloud Posse.

  • Context for rejection is needed. Overally this proposal adds complexity and cost for using private zones, as well as has a lack of customer demand.

Status

DRAFT

Problem

There is confusion regarding service discovery and vanity domains. Hisotically, service discovery domains are on privately hosted DNS zones, yet Cloud Posse typically advocates using public DNS zones for everything, including internal load balancers. Using public hosted zones leaks information about the cloud architecture, which is why some advocate for strictly using private zones.

Context

Considered Options

Option 1: Public zones only

Pros

  • This is what we’re currently doing and this has been tried and tested

  • ACM certs can be used without PCA

  • LetsEncrypt can be an issuer for cert-manager (when using ingress-nginx)

Cons

  • Route53 hostnames might be leaked (although services won’t be accessible).

  • Security through Obscurity.

Option 2: Private zones only

This is an “old school” security best practice, which in principle is great but in practice rather limiting.

Pros

  • Route53 hostnames cannot be leaked, making it more difficult for adversaries to map out the infrastructure for targeted attacks

Cons

  • We’ve recently added support for this in a customer engagement. There could be “underwater stones” (credit to @Igor Rodionov for this term).

  • IMPORTANT Services cannot be exposed in any way to external third-party integrations (e.g. webhook callbacks with Twillio, GitHub, etc

  • Requires cross association of VPCs with private hosted zones

  • IMPORTANT Can only be associated with exactly one VPC

  • Is this true? I’ve been able to associate a private zone with multiple VPCs. @RB (Ronak Bhatia)

  • Requires a VPN solution like AWS Client VPN Endpoint in order to resolve any names

  • Private CA or a public hosted zone for ACM verification

  • Public hosted zone for acm verification which would require a split-view setup

  • or Private CA to sign certificates and sign ACM certs and cert-manager.

  • At least 2 Private CAs are recommended (one for prod, one for non-prod). Each private CA is $400/mo. https://aws.amazon.com/certificate-manager/pricing/

  • Troubleshooting DNS lookups would require ssh'ing via SSM to an instance in a VPC that is associated with a private Hosted Zone to check if DNS lookups work as expected

Option 3: Hybrid of public and private zones

This has all the pros of Option 1 and Option 2 and mitigates some of the Cons.

Pros

  • Best of both worlds

  • Public for vanity domains

  • Private for service discovery domains

  • Both public and private can co-exist

Cons

  • Still requires either a public hosted zone for certificate verification OR the costly Private CA at $400/mo/ea x2.