My Blog: Route53

Showing posts with label Route53. Show all posts

Wednesday, April 20, 2016

Outbound IPv6 on AWS EC2 Amazon Linux How-To (Not Production Grade)

It is well known that we can deploy an application in AWS and be fully IPv6 compliant thanks to the AAAA DNS records that every EC2 Elastic Load Balancer have at our disposal, but this does not apply to Outbound Internet connections (connections that are originated in our EC2 boxes).
The arrival of IPv6 to EC2 could be near but meanwhile there is a way to provide outbound IPv6 connectivity to our servers thanks to Hurricane Electric tunnel broker service.

I call this solution "Not Production Grade" because it is provided for free for experimentation purposes. Please read the Terms of Service (I have to say that is pretty fast and stable though).

Important Security Note:
With no additional measures in place, the configuration described here will open your TCP/IP services to Internet. Deploying a TCP tunnel will bypass the EC2 Security Group security layer.
IPv6 has no Network Address Translation (NAT) and your server will be directly connected to Internet to all effects.
Enabling and configuring ip6tables is advised.

Register:

- Get your free IPv6 tunnel at https://www.tunnelbroker.net

- Open your EC2 Security Group to receive ICMP traffic from Hurricane Electric (This is a requisite for this tunnel provider).

- Fill the field "IPv4 Endpoint (Your side)" with the Public IP of your instance.

- Select an IPv4 tunnel endpoint close to your AWS region.

- Once the tunnel is created we can access its details. No other changes are required, the tunnel is ready to use.

Configure:

- Click on "Example Configurations" to obtain the configuration guidelines for our Operative System (In our case: "Linux-net-tools" option).

(with sudo)

sudo ifconfig sit0 up
sudo ifconfig sit0 inet6 tunnel ::216.66.88.98
sudo ifconfig sit1 up
sudo ifconfig sit1 inet6 add 2001:470:1f1c:666::2/64
sudo route -A inet6 add ::/0 dev sit1

Note: In your case these IP addresses will vary.

- At this point the new interface and the tunnel are ready.

Test:

- Check our new interface sit1 and its IPv6 configuration. In this example the IP 2001:470:1f1c:666::2 is our Public IPv6 address for this server.

$ ifconfig sit1

sit1 Link encap:IPv6-in-IPv4
inet6 addr: 2001:470:1f1c:666::2/64 Scope:Global
inet6 addr: fe80::a52:b404/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:111 errors:0 dropped:0 overruns:0 frame:0
TX packets:110 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:14575 (14.2 KiB) TX bytes:11293 (11.0 KiB)

- ping6 (against Google IPv6 DNS server)

$ ping6 -c 5 2001:4860:4860::8888

PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=56 time=18.9 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=56 time=19.0 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=56 time=19.0 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=56 time=19.1 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=5 ttl=56 time=19.0 ms

--- 2001:4860:4860::8888 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4034ms
rtt min/avg/max/mdev = 18.993/19.062/19.125/0.131 ms

- route

$ route -n -A inet6

Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
::/96 :: U 256 0 0 sit0
2001:470:1f1c:666::/64 :: U 256 0 0 sit1
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 sit1
::/0 :: U 1 3469 1 sit1
::1/128 :: U 0 22 2 lo
::10.82.180.4/128 :: U 0 0 1 lo
::127.0.0.1/128 :: U 0 0 1 lo
2001:470:1f1c:666::2/128 :: U 0 3397 2 lo
fe80::a52:b404/128 :: U 0 0 1 lo
fe80::2000:aff:fe52:b404/128 :: U 0 0 1 lo
ff00::/8 :: U 256 0 0 eth0

ff00::/8 :: U 256 0 0 sit1

::/0 is the Default route in IPv6 (equivalent to 0.0.0.0/0 in IPv4).

::1 host is our localhost interface (equivalent to 127.0.0.1).

In IPv6 one or more leading zeroes from any groups of hexadecimal digits are removed and consecutive sections of zeroes are replaced with a double colon (::).
This 0000:0000:0000:0000:0000:0000:0000:0001 is equal to ::1

- netstat

$ telnet www.google.com 80 &
$ netstat -nat -A inet6

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 :::38030 :::* LISTEN
tcp 0 0 :::111 :::* LISTEN
tcp 0 0 2001:470:1f1c:666::2:35960 2a00:1450:400b:802::2004:80 ESTABLISHED

Notice that our telnet command has created an IPv6 connection. We didn't specify any IPv6 parameter. How come? More about that later. Check DNS Considerations at the bottom of this article to know more.

- traceroute

$ traceroute -6 2001:4860:4860::8888

traceroute to 2001:4860:4860::8888 (2001:4860:4860::8888), 30 hops max, 80 byte packets
1 juandomenech-1.tunnel.tserv1.lon2.ipv6.he.net (2001:470:1f1c:666::1) 13.331 ms 13.703 ms 14.143 ms
2 ge3-20.core1.lon2.he.net (2001:470:0:320::1) 42.622 ms 75.028 ms 75.002 ms
3 2001:7f8:4::3b41:1 (2001:7f8:4::3b41:1) 15.652 ms 15.614 ms 15.386 ms
4 2001:4860::1:0:ab9e (2001:4860::1:0:ab9e) 14.648 ms 2001:4860::1:0:ab9d (2001:4860::1:0:ab9d) 14.697 ms 2001:4860::1:0:9914 (2001:4860::1:0:9914) 15.386 ms
5 2001:4860::8:0:aba0 (2001:4860::8:0:aba0) 26.167 ms 2001:4860::8:0:ab9f (2001:4860::8:0:ab9f) 26.139 ms 2001:4860::8:0:aba0 (2001:4860::8:0:aba0) 26.113 ms
6 2001:4860::8:0:83d2 (2001:4860::8:0:83d2) 26.079 ms 2001:4860::8:0:507c (2001:4860::8:0:507c) 18.276 ms 2001:4860::8:0:83d2 (2001:4860::8:0:83d2) 17.891 ms
7 2001:4860::2:0:7a79 (2001:4860::2:0:7a79) 18.432 ms 2001:4860::2:0:79fb (2001:4860::2:0:79fb) 20.376 ms 20.369 ms

8 google-public-dns-a.google.com (2001:4860:4860::8888) 19.208 ms 18.261 ms 17.545 ms

Notice Hop#1. It is the other site of the tunnel. The address :666::1 is the gateway of our network.

- Test with Port Scan at https://www.tunnelbroker.net/portscan.php

- Type in your IPv6 Address, hit Submit and wait for 10 seconds.

Do you see something interesting? Yes, as mentioned before, the ports 22 and 111 are open to the network over IPv6 bypassing the security provided by the EC2 Security Groups.

Creating a TCP/IP tunnel has the same effect as adding another Internet connection to our instance. That traffic is encapsulated over TCP/IP and is out of control of the traditional EC2 Security Group firewall layer.
Configuring ip6tables is advised.

DNS considerations:

We have added new interfaces to this box and we are routing IPv6 through a tunnel but we haven't changed its DNS configuration. It has the standard EC2 DNS configuration unchanged (EC2-Classic):

$ cat /etc/resolv.conf

; generated by /sbin/dhclient-script
search eu-west-1.compute.internal
options timeout:2 attempts:5
nameserver 172.16.0.23

Despite that, our previous telnet (telnet www.google.com 80) is connecting to Google's IPv6. Let's take a look to the dialog between our box and the EC2-Classic DNS server 172.16.0.23 to understand why:

$ sudo tcpdump -i eth0 -nn -s0 -A port 53

13:31:52.961142 IP 10.104.229.189.47624 > 172.16.0.23.53: 61300+ A? www.google.com. (32)
E..<.c@...1.
h.........5.(...t...........www.google.com.....
13:31:52.961158 IP 10.104.229.189.47624 > 172.16.0.23.53: 48977+ AAAA? www.google.com. (32)
E..<.d@...0.
h.........5.(...Q...........www.google.com.....
13:31:52.962279 IP 172.16.0.23.53 > 10.104.229.189.47624: 48977 1/0/0 AAAA 2a00:1450:400b:802::2004 (60)
E..X....@..N....
h...5...Ds3.Q...........www.google.com..............w..*..P@......... .
13:31:52.963683 IP 172.16.0.23.53 > 10.104.229.189.47624: 61300 6/0/0 A 209.85.203.104, A 209.85.203.105, A 209.85.203.106, A 209.85.203.147, A 209.85.203.99, A 209.85.203.103 (128)
E.......@.. ....
h...5....u..t...........www.google.com..............,...U.h.........,...U.i.........,...U.j.........,...U...........,...U.c.........,...U.g

- Packets #1 and #2 are our requests and packets #3 and #4 are the answers coming back from the DNS server.
- Our Linux box is resolving www.google.com twice. First with IPv4 (A) and second with IPv6 (AAAA).
- Each request receives a different answer. The A record receives a list of IPv4 addresses and the record AAAA receives a single IPv6 address (2a00:1450:400b:802::2004). This is the address our box has decided to use.

In other words, during the DNS resolution our system determines whether this host is accessible using IPv6 or not. The way to do that is asking for the AAAA DNS record and use it when present.

We can do the same using dig.

- dig

$ dig AAAA www.linkedin.com

;; ANSWER SECTION:
www.linkedin.com. 88 IN CNAME glb-any-eu.www.linkedin.com.
glb-any-eu.www.linkedin.com. 88 IN CNAME any-eu.www.linkedin.com.
any-eu.www.linkedin.com. 1869 IN AAAA 2a04:f540:1::b93f:930a

Migrated = Yes

$ dig AAAA www.facebook.com

;; ANSWER SECTION:
www.facebook.com. 14 IN CNAME star-mini.c10r.facebook.com.
star-mini.c10r.facebook.com. 41 IN AAAA 2a03:2880:2130:7f20:face:b00c:0:25de

Migrated = Yes

$ dig AAAA github.com

;; AUTHORITY SECTION:
github.com. 60 IN SOA ns1.p16.dynect.net. hostmaster.github.com. 1461162636 3600 600 604800 60

Not migrated yet.

Monday, December 29, 2014

How to transfer your Internet Domain to AWS Route 53

These are the steps to transfer an Internet domain (domenech.org in this example) to AWS Route 53.

This is not a DNS configuration migration. This is only to make AWS our Domain registrar.

1- Check your current domain registration information

Make sure that your contact details are up to date and that you have all you need to administer your domain configuration (valid email addresses, the domain is not about to expire, the domain is not locked, etc.)

2- Request the Authorisation Code to your current Registrar

The goal of the whole process is to transfer the registrar authority from one registrar (your current) to a new one (AWS). The method to authenticate that this is an authorised request is the Authorisation Code.

Each provider has a different method to obtain this code. I.e: These are the instructions for GoDaddy.

3- Initiate the Transfer Domain Wizard

- On the Route 53 Console: Click on "Registered Domains" and "Transfer Domain" button.

- Type your Internet Domain name and select its TLD (domenech.org in this case).

blog-domenech-org-transfer-internet-domain-to-aws-route-53-step-3

4- Authorisation Code and your current DNS server

Enter here the Authorisation Code you have received from your current Registrar.

Enter here your current DNS servers names. There is room for 4 server but 2 servers is the minimum required.

Remember: These are your current DNS servers. No change here. We are migrating only the Internet Domain registrar of your domain.

blog-domenech-org-transfer-internet-domain-to-aws-route-53-step-4

5- Fulfil your contact details

blog-domenech-org-transfer-internet-domain-to-aws-route-53-step-5

6- Review & Purchase

blog-domenech-org-transfer-internet-domain-to-aws-route-53-step-6a

blog-domenech-org-transfer-internet-domain-to-aws-route-53-step-6b

7- noreply@domainnameverification.net email

The process has been initiated and now should be on pending status.

You can track it on the Route 53 Console Dashboard:

blog-domenech-org-transfer-internet-domain-to-aws-route-53-step-dashboard-7a

After a couple of days you will receive an email from noreply@domainnameverification.net asking you to approve the transfer. Follow those instructions.

blog-domenech-org-transfer-internet-domain-to-aws-route-53-step-domainnameverification.net-7b

blog-domenech-org-transfer-internet-domain-to-aws-route-53-step-approve-transfer-8

8- Done. Your Internet Domain is now under Amazon Web Services control

blog-domenech-org-transfer-internet-domain-to-aws-route-53-step-registered-domains-9

9- Test

A good way to test that Internet got it right is to perform a "Who Is" from a public service like http://www.whois.net and query your domain.

Here below the current output of that query for domenech.org. Notice that my personal details are obfuscated by a third party registrar. AWS has delegated the domain registration to http://www.gandi.net/whois and this service includes information obfuscation without any additional cost.

Domain Name:DOMENECH.ORG

Domain ID: D85970450-LROR

Creation Date: 2002-04-25T19:34:26Z

Updated Date: 2014-10-25T00:20:22Z

Registry Expiry Date: 2016-04-25T19:34:26Z

Sponsoring Registrar:Gandi SAS (R42-LROR)

Sponsoring Registrar IANA ID: 81

WHOIS Server:

Referral URL:

Domain Status: clientTransferProhibited

Registrant ID:JD10503-GANDI

Registrant Name:Juan Domenech

Registrant Organization:

Registrant Street: Whois Protege / Obfuscated whois

Registrant Street: Gandi, 63-65 boulevard Massena

Registrant City:Paris

Registrant State/Province:

Registrant Postal Code:75013

Registrant Country:FR

Registrant Phone:+33.170377666

Registrant Phone Ext:

Registrant Fax: +33.143730576

Registrant Fax Ext:

Registrant Email:a517c25f3bd3ea62979ed4e973f86c48-2042264@contact.gandi.net

Admin ID:JD10502-GANDI

Admin Name:Juan Domenech

Admin Organization:

Admin Street: Whois Protege / Obfuscated whois

Admin Street: Gandi, 63-65 boulevard Massena

Admin City:Paris

Admin State/Province:

Admin Postal Code:75013

Admin Country:FR

Admin Phone:+33.170377666

Admin Phone Ext:

Admin Fax: +33.143730576

Admin Fax Ext:

Admin Email:254445e386172ccaea82940961ab1cf2-2042260@contact.gandi.net

Tech ID:JD10504-GANDI

Tech Name:Juan Domenech

Tech Organization:

Tech Street: Whois Protege / Obfuscated whois

Tech Street: Gandi, 63-65 boulevard Massena

Tech City:Paris

Tech State/Province:

Tech Postal Code:75013

Tech Country:FR

Tech Phone:+33.170377666

Tech Phone Ext:

Tech Fax: +33.143730576

Tech Fax Ext:

Tech Email:0d4fec3c29117f4dd0034f2b144b1ee4-2042268@contact.gandi.net

Name Server:NS1.CELINGEST.ES

Name Server:NS2.CELINGEST.ES

Name Server:NS3.CELINGEST.ES

Name Server:

DNSSEC:Unsigned

Monday, November 12, 2012

Automatically Manage your AWS EC2 Instance Public IP Addresses with Route53

Our Goal: Easy access to our Instances by Name instead to locate them through EC2 Console after an IP change caused by a stop/start action.

Is quite tedious the need to open the AWS Console to find an instance Public IP after a stop/start action or if we forgot which previously it was. Here I show you a tool that consists in a script executed inside the instance that updates its DNS records in Route53 using the instance Tag "Name". This is and optional Tag we can use to store the "Host Name" when launching a new instance or edit it anytime we need afterwards. If this optional tag is not present, the script I show you here, will use the instance ID to update (or create) the corresponding DNS A Record. This way we will have always the instance accessible through its FQDN and it will be stable (It won't change overtime).
Example: My-Instance-Host-Name.ec2.My-Domain.com

$ ssh -i juankeys.pem ec2-user@webserver1.ec2.donatecpu.com

Last login: Mon Nov 12 00:14:35 2012 from 77.224.98.33
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-ami/2012.09-release-notes/
There are 4 total update(s) available
Run "sudo yum update" to apply all updates.

[ec2-user@webserver1 ~]$

Instance Tag Name
Configure your EC2 instance with a Tag Name using the Console. Usually the Instance Launch Wizard will ask you for it but if is empty, you can update it any time you want. In this example the Tag Name will be "webserver1".

Preparations
Log into your instance and make sure that the EC2 API is ready to run. Follow this previous post if you need help with that. You will need a IAM user with admin permissions on Route53.

Route53
Create a new zone in Route53 (if you don't have any created yet) and save the assigned Hosted Zone ID:

dnscurl.pl
dnscurl.pl is an AWS Perl tool that will help you to use the Route53 API. Unlike other AWS APIs, Route53's API uses REST methods. This means that is accessible using HTTP calls (similar to accessing instance metadata) which looks good but the authentication process is a painful. dnscurl.pl simplifies the authentication process to generate the calls (GET and POST) to the Route 53 API.

Create a directory called /root/bin/ to store our tools, download dnscurl.pl, and make it executable:

# cd /root

# mkdir bin

# cd bin

# wget -q http://awsmedia.s3.amazonaws.com/catalog/attachments/dnscurl.pl

# chmod u+x dnscurl.pl

Note: You can also download the dnscurl.pl from here using a browser.

Create in the same folder a file called ".aws-secrets" (note the dot at the begining of the file name) with the following content and make it only readable for root:

%awsSecretAccessKeys = (
'(your key name without parentheses)' => {
id => '(your access key without parentheses)',
key => '(your secret key without parentheses)',
},
);

# chmod go-rwx .aws-secrets

Test dnscurl.pl with a simple read-only call. If everything is good, you should see something like this:

# ./dnscurl.pl --keyfile ./.aws-secrets --keyname juan -- -v -H "Content-Type: text/xml; charset=UTF-8" https://route53.amazonaws.com/2012-02-29/hostedzone/Z1F5BRDVBM
0.0%
* About to connect() to route53.amazonaws.com port 443 (#0)
* Trying 72.21.194.53...
* connected
* Connected to route53.amazonaws.com (72.21.194.53) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using SSL_RSA_WITH_RC4_128_MD5
* Server certificate:
* subject: CN=route53.amazonaws.com,O=Amazon.com Inc.,L=Seattle,ST=Washington,C=US
* start date: Nov 05 00:00:00 2010 GMT
* expire date: Nov 04 23:59:59 2013 GMT
* common name: route53.amazonaws.com
* issuer: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
> GET /2012-02-29/hostedzone/Z1F5BRDVBM HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-redhat-linux-gnu) libcurl/7.24.0 NSS/3.13.5.0 zlib/1.2.5 libidn/1.18 libssh2/1.2.2
> Host: route53.amazonaws.com
> Accept: */*
> Content-Type: text/xml; charset=UTF-8
> Date: Sun, 11 Nov 2012 23:21:26 GMT
> X-Amzn-Authorization: AWS3-HTTPS AWSAccessKeyId=AKIAJ5,Algorithm=HmacSHA1,Signature=/i+0d=
>
< HTTP/1.1 200 OK
< x-amzn-RequestId: 843632ca-2c56-11e2-94bf-3b3ef9a8f457
< Content-Type: text/xml
< Content-Length: 582
< Date: Sun, 11 Nov 2012 23:21:26 GMT
<
<?xml version="1.0"?>
* Connection #0 to host route53.amazonaws.com left intact
<GetHostedZoneResponse xmlns="https://route53.amazonaws.com/doc/2012-02-29/"><HostedZone><Id>/hostedzone/Z1F5BRDVBM</Id><Name>donatecpu.com.</Name><CallerReference>454848C9-18D1-2DDB-AC24-B629E</CallerReference><Config/><ResourceRecordSetCount>2</ResourceRecordSetCount></HostedZone><DelegationSet><NameServers><NameServer>ns-1146.awsdns-15.org</NameServer><NameServer>ns-1988.awsdns-56.co.uk</NameServer><NameServer>ns-228.awsdns-28.com</NameServer><NameServer>ns-783.awsdns-33.net</NameServer></NameServers></DelegationSet></GetHostedZoneResponse>* Closing connection #0

You should see a correctly created AWSAccessKeyId and Signature, no error messages and at the bottom and XML output showing the DNS Servers for you Zone.

start-up-names.sh
Download my script start-up-names.sh and make it executable:

# wget -q http://www.domenech.org/files/start-up-names.sh

# chmod u+x start-up-names.sh

Or copy and paste the following text into a file called start-up-names.sh

#!/bin/bash
# start-up-names.sh
# http://blog.domenech.org

logger start-up-name.sh Started

#More environment variables than we need but... we always do that
export AWS_CREDENTIAL_FILE=/opt/aws/apitools/mon/credential-file-path.template
export AWS_CLOUDWATCH_HOME=/opt/aws/apitools/mon
export AWS_IAM_HOME=/opt/aws/apitools/iam
export AWS_PATH=/opt/aws
export AWS_AUTO_SCALING_HOME=/opt/aws/apitools/as
export AWS_ELB_HOME=/opt/aws/apitools/elb
export AWS_RDS_HOME=/opt/aws/apitools/rds
export EC2_AMITOOL_HOME=/opt/aws/amitools/ec2
export EC2_HOME=/opt/aws/apitools/ec2
export JAVA_HOME=/usr/lib/jvm/jre
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/aws/bin:/root/bin

# *** Configure these values with your settings ***
#API Credentials
AWSSECRETS="/root/bin/.aws-secrets"
KEYNAME="juan"
#Hosted Zone ID obtained from Route53 Console once the zone is created
HOSTEDZONEID="Z1F5BRDVBM"
#Domain name configured in Route53 and used to store our server names
DOMAIN="ec2.donatecpu.com"
# *** Configuration ends here ***

#Let's get the Credentials that EC2 API needs from .aws-secrets dnscurl.pl file
ACCESSKEY=`cat $AWSSECRETS | grep id | cut -d\' -f2`
SECRETKEY=`cat $AWSSECRETS | grep key | cut -d\' -f2`

#InstanceID Obtained from MetaData 
INSTANCEID=`wget -q -O - http://169.254.169.254/latest/meta-data/instance-id`

#Public Instance IP obtained from MetaData
PUBLICIP=`wget -q -O - http://169.254.169.254/latest/meta-data/public-ipv4`

#IP Currently configured in the DNS server (if exists)
CURRENTDNSIP=`dig $INSTANCEID"."$DOMAIN A | grep -v ^\; | sort | tail -1 | awk '{print $5}'`

#Instance Name obtained from the Instance Custom Tag NAME
WGET="`wget -q -O - http://169.254.169.254/latest/meta-data/instance-id`"
INSTANCENAME=`ec2-describe-instances -O $ACCESSKEY -W $SECRETKEY $WGET --show-empty-fields | grep TAG | grep Name | awk '{ print $5 }'`

echo $INSTANCEID $PUBLICIP $CURRENTDNSIP $INSTANCENAME
logger $INSTANCEID $PUBLICIP $CURRENTDNSIP $INSTANCENAME

#Set the new Hostname using the Instance Tag OR the Instance ID
if [ -n "$INSTANCENAME" ]; then
hostname $INSTANCENAME
logger Hostname from InstanceName set to $INSTANCENAME
else
hostname $INSTANCEID
logger Hostname from InstanceID set to $INSTANCEID
fi

#dnscurl.pl Delete Current InstanceID Public IP A Record to allow Later Update
COMMAND="<?xml version=\"1.0\" encoding=\"UTF-8\"?><ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2012-02-29/\"><ChangeBatch><Changes><Change><Action>"DELETE"</Action><ResourceRecordSet><Name>"$INSTANCEID"."$DOMAIN".</Name><Type>A</Type><TTL>600</TTL><ResourceRecords><ResourceRecord><Value>"$CURRENTDNSIP"</Value></ResourceRecord></ResourceRecords></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>"

/root/bin/dnscurl.pl --keyfile $AWSSECRETS --keyname $KEYNAME -- -v -H "Content-Type: text/xml; charset=UTF-8" -X POST https://route53.amazonaws.com/2012-02-29/hostedzone/$HOSTEDZONEID/rrset -d "$COMMAND"

#dnscurl.pl Create InstanceID Public IP A Record
COMMAND="<?xml version=\"1.0\" encoding=\"UTF-8\"?><ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2012-02-29/\"><ChangeBatch><Changes><Change><Action>"CREATE"</Action><ResourceRecordSet><Name>"$INSTANCEID"."$DOMAIN".</Name><Type>A</Type><TTL>600</TTL><ResourceRecords><ResourceRecord><Value>"$PUBLICIP"</Value></ResourceRecord></ResourceRecords></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>"

/root/bin/dnscurl.pl --keyfile $AWSSECRETS --keyname $KEYNAME -- -v -H "Content-Type: text/xml; charset=UTF-8" -X POST https://route53.amazonaws.com/2012-02-29/hostedzone/$HOSTEDZONEID/rrset -d "$COMMAND"

logger Entry $INSTANCEID.$DOMAIN sent to Route53

#Create DNS A record for Instance Name (if exists)
if [ -n "$INSTANCENAME" ]; then

#dnscurl.pl Delete Current Instance Name Public IP A Record to allow Later Update
COMMAND="<?xml version=\"1.0\" encoding=\"UTF-8\"?><ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2012-02-29/\"><ChangeBatch><Changes><Change><Action>"DELETE"</Action><ResourceRecordSet><Name>"$INSTANCENAME"."$DOMAIN".</Name><Type>A</Type><TTL>600</TTL><ResourceRecords><ResourceRecord><Value>"$CURRENTDNSIP"</Value></ResourceRecord></ResourceRecords></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>"

/root/bin/dnscurl.pl --keyfile $AWSSECRETS --keyname $KEYNAME -- -v -H "Content-Type: text/xml; charset=UTF-8" -X POST https://route53.amazonaws.com/2012-02-29/hostedzone/$HOSTEDZONEID/rrset -d "$COMMAND"

#dnscurl.pl Create Instance Name Public IP A Record
COMMAND="<?xml version=\"1.0\" encoding=\"UTF-8\"?><ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2012-02-29/\"><ChangeBatch><Changes><Change><Action>"CREATE"</Action><ResourceRecordSet><Name>"$INSTANCENAME"."$DOMAIN".</Name><Type>A</Type><TTL>600</TTL><ResourceRecords><ResourceRecord><Value>"$PUBLICIP"</Value></ResourceRecord></ResourceRecords></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>"

/root/bin/dnscurl.pl --keyfile $AWSSECRETS --keyname $KEYNAME -- -v -H "Content-Type: text/xml; charset=UTF-8" -X POST https://route53.amazonaws.com/2012-02-29/hostedzone/$HOSTEDZONEID/rrset -d "$COMMAND"

logger Entry $INSTANCENAME.$DOMAIN sent to Route53
fi

logger start-up-names.sh Ended

Edit the script and adapt the variables from the "*** Configure these values with your settings ***" section with your parameters.

Test it:

# ./start-up-names.sh

(text output)

# tail /var/log/messages

Nov 11 23:30:57 ip-10-29-30-48 ec2-user: start-up-name.sh StartedNov 11 23:30:59 ip-10-29-30-48 ec2-user: i-87eef4e1 54.242.191.68 ns-1146.awsdns-15.org. webserver1
Nov 11 23:30:59 ip-10-29-30-48 ec2-user: Hostname from InstanceName set to webserver1
Nov 11 23:31:00 ip-10-29-30-48 ec2-user: Entry i-87eef4e1.ec2.donatecpu.com sent to Route53
Nov 11 23:31:00 ip-10-29-30-48 ec2-user: Entry webserver1.ec2.donatecpu.com sent to Route53
Nov 11 23:31:00 ip-10-29-30-48 ec2-user: start-up-names.sh Ended

Reading /var/log/messages you should have something like this output. First the script gathers the Instance ID and the Public IP reading the Instance Metadata. Then the current IP ($CURRENTDNSIP) configured at the DNS (if any) using dig and the Instance Tag Name using the ec2-describe-instances command. The first change to happen is the Host Name. If the Instance Tag Name is present it will become the machine Host Name and if not, the Instance ID will play this role. One way or the other we will have a stable way to identify our servers. The Instance ID is unique and won't change over time. Then we call the Route53 API using dnscurl.pl four times. There is no API call to "overwrite" and existing DNS record so we need to Delete it first and Create it afterwards. The Delete call has to include the exact values the current entry has (quite silly if you ask me...) so that is why the scripts needs the current Public IP configured. We Delete using the old values and Create using the new ones. One dnscurl execution for the Instance ID (that always exists) and again for the Instance Tag Name (if present).

Two entries should have been automatically created in your Hosted Zoned and present at Route53 console for our Instance:

Those entries are ready to use and now you can forget its Instance ID or volatile Public IP and just ping or ssh to the name. Example: webserver1.ec2.donatecpu.com.

Auto Start
The main purpose is to maintain our servers IPs automatically updated in our DNS so we need that the main script is executed every time the machine starts. Once we've verified that it works fine is time to edit /etc/rc.local and add start-up-names.sh full path to it:

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

/root/bin/start-up-names.sh

And that is it. I suggest you to manually stop and start your instance and verify that its new assigned Public IP is updated in the DNS. All AMIs you generate from this Instance will include this described configuration and therefore they will dynamically maintain their IPs. Cool!

Note: When playing with changes in DNS Records their TTL value matters. In this exercise we've used a value of 600 seconds so a change could take up to 10 minutes to be available in your local area network if your DNS server has cached it.