Moving DNS to Amazon Route 53, Dynamic Updates
In my previous post, I set up OpenVPN on my home network and everything was awesome. Until this morning: I could not connect to my VPN. I had forgotten to set up some kind of dynamic DNS updater for it. That should be easy enough, I had previously done this using DynDNS. Only problem was that the service is no longer free. This shouldn’t be too much of a problem as I have a couple of my own domains - yes, I will one day still get round to finishing my pet project ‘Tinkle Tones’ ;)
My domains are split between a couple of different registrars using various tools to manage the DNS updating. Almost none of them had any kind of API for updating the DNS and I really don’t want to create a hack by doing screen scraping and form posting. I decided to use Route 53 from Amazon to allow easy scripting of all my DNS needs. The last time I played with the service was in 2011 while doing some infrastructure automation / setup for 22seven. Quite a lot has changed in terms of features / the interface and I was pleasantly surprised to be able to register domains as well. The prices seemed on par with my registrars’ fees; variation was a couple of dollars, but I would pay that with a smile if it allowed easy management. My only gripe was the cost of transferring a domain: it looks to be the same cost of registering a new one. A couple of my domains have just renewed, so I am going to wait before moving them.
Creating a new domain is dead easy: click ‘Created Hosted Domain’, add the domain name, a comment if you want and hit ‘Create’. The resulting screen provides you with 4 name servers scattered across the world, I had a a .co.uk, .com, .net and .org. The numbers make you realise just how many nameservers Amazon has - my largest one was 1815. After updating my NS records at my registrar and duplicating the existing records on Route 53, I was ready to go.
Something for my TODO list: create a script for the Google Apps MX records as I will use this for all my other domains - I am lucky enough to still have a couple of the free accounts.
I found this script by searching for ‘route 53 script update dns’. Looks to be what I need, but the https cert was invalid for a short amount of time. Solution was to add another parameter to the curl command ‘-k’ - credit to this post.
The script was a good start, but I wanted to externalize the sensitive parts to allow committing this to a public repository. This led to a merry chase to acquire answers to more questions - Aaron Patterson spoke about The joy of programming at RubyFuza recently. Moving along swiftly …
To interact with the AWS API, you will need to install the CLI tools. Quick notes copied from there to get pip installed:
cd /tmp
curl "https://bootstrap.pypa.io/get-pip.py" -o "get-pip.py"
sudo python get-pip.py
pip --help
And then the CLI:
sudo pip install awscli
Before we can use the CLI, we will need credentials to interact with the AWS. To generate these, open up your AWS console in the browser and go to the IAM users. Create a new user with the following security policy - copy Hosted Zone ID from Route 53 and replace the value in the ARN below with your one:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:CreateHostedZone",
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/BJBK35SKMM9OE"
]
}
]
}
After creating the user, you will be presented with a AWS access key and secret for this user - keep them safe somewhere are you cannot retrieve them after this point.
To set up an AWS CLI profile, use the credentials provided in the previous step, the default region and output format can be left empty:
aws configure --profile dns-update-your-site
Finally, to test that your script is working, run it:
./update-route53.sh BJBK35SKMM9OE dns-update-your-site example.com 1
This should output the following:
Force update is set.
IP has changed to 10.0.0.1, updating ...
The final step is to add this to a cron job, by running crontab -e
and adding in (note that the trailing 1
has been removed to not force an update unless the IP has changed):
*/30 * * * * /home/will/scripts/update-route53.sh BJBK35SKMM9OE dns-update-your-site example.com
You should now have an updating DNS for your home connection that will update when you external IP changes by calling into Amazon’s Route 53 API.