Updating the NS Records for a Subdomain on AWS with the AWS CLI
ACM.244 Adding NS records to the primary domain in Route 53 for a subdomain used in a separate account
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code.
🔒 Related Stories: Application Security | AWS Security | DNS
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the last post I showed you how to automate updating the name servers for a domain you registered through Route 53 domains.
In this post, I’m going to show you how to automate setting up the NS records for a subdomain — in my example: dev.rainierrhododendrons.com. We’re going to use the AWS CLI in this post. I’ll use CloudFormation in a later post.
Different types of DNS records
First of all there are a lot of different kinds of domain name records you can create for different purposes. Here are some examples:
NS — names server record that defines which name server will provide the IP address for the domain. This is what we are going to add to the primary domain.
A — Address record to define the IPv4 IP address or a domain name.
AAAA — Address record to define the IPv6 IP address for a domain name.
TXT — Text records hold just about any name — value pair and have many use cases. We’ll use some TXT records later in our setup.
CNAME — point one domain to another domain. For example, we want to point www.rainierrhododendrons.com to rainierrhododendrons.com. It is used when there are no other records on the name.
ALIAS — like a CNAME but used when there are other records on the domain.
URL — redirect to another domain with a 301 HTTP status code.
These are just some example of different types of DNS records you can create for what is known as a DNS Zone. We used some of those types of records when setting up DNSSEC in prior posts to add additional security for our domain names:
Adding DNS records with the AWS CLI
Now I haven’t created the hosted zone for the primary domain for this site in CloudFormation yet (it was created a long time ago!) so I’m going to initially create the new NS records for the subdomain with the AWS CLI. I’ll fix the primary domain set up when I migrate it to a new account.
Unfortunately updating domain name records with the AWS CLI is kind of messy. Let’s sort this out.
After perusing the AWS documentation for adding new records it seems to be easiest to do so with a file that contains the new records. The question I have is this. If I add the new records will it affect the existing records? That would be a problem.
It appears that I can just use “CREATE” below and hopefully that won’t affect the existing records. However, just in case something goes wrong, I’m going to make a backup of the primary domain hosted zone information.
You can see an example below where we would specify:
Action: Create
Name: NS records for dev.rainierrhododendrons.com
Type: NS
ResourceReocords: [the values - need to check he format for NS records]
It appears that ResourceRecords should be a list of strings.
If we click over to supported DNS types this information appears, but it’s still not really clear what the AWS CLI is expecting. It says to use
I’m going to presume it’s just a comma separated list of strings. Let’s try it.
I started by crafting and creating a file and checking I got the format right like this.
I called the script like this:
./cli_ns_record_update.sh "dev.rainierrhododendrons.com" "ns1.example.com,ns2.example.com"Notice at the end it uses cat to display the contents of the file. I can check the format of the contents to make sure it is OK:
Next I want to run the script with the AWS CLI command, but I need to add a CLI Profile that has permission to update the hosted zone. These domains are in a temporary place so I manually added a user with no AWS console access and only permission to update hosted zones for domains in that account. Then as before I created a role that requires MFA to assume. I set up a CLI Profile where the for role assumption with MFA.
I’ve explained all that in many prior posts so not repeating all that here:
Now that my AWS CLI profile is in place, I’m going to go ahead and add the command to update the hosted zone. But remember I backed up the existing records first in case anything goes wrong.
Besides list and read permissions, minus the VPC permission which required some extra EC2 VPC permissions, I added these write actions:
I also changed resources to all since this is the CLI Profile I’ll use if I need to update any of the hosted zones in this particular account. You could and should obviously be more specific if you have different people managing different domains.
I created and tested the CLI Profile.
Next I added three functions to make things a bit easier in /DNS/stacks/dns_functions.sh.
Get a hosted zone ID using a domain name:
Get the NS records in the format required to update the domain registration record as we did in the last post:
A function to return a comma separate list of NS records for a domain:
To test this out I temporarily added this to the bottom of my script functions file and executed it as a script:
I get the expected results:
OK now we can add that to our temp AWS CLI script to get the NS records and pass that into our command to update the hosted zone and see if it works.
First let’s just see what the file looks like:
This is what my file looks like that I want to use with the AWS CLI command above to add a new NS record. I fixed one typo — are there more? Let’s find out…
Now I told you how I want to back up the domain records before proceeding. I decided to create a function to export the zone file, and got a little help from this page:
That allowed me to save a copy of the records prior to updating.
I ran it like this:
Finally back to our command above. Let’s create a function to add NS records for a subdomain to a primary domain’s hosted zone. First I tested the above code in a function like this with the web admin profile to get the hosted zone for the subdomain and the zone_admin CLI profile to get the hosted zone for the primary domain.
This gave me the expected results:
So I added the call to update the hosted zone and fixed a couple of typos to get this.
Got this error:
Error parsing parameter '--change-batch': Invalid JSON: Expecting property name enclosed in double quotes: line 2 column 2 (char 3)Hmm. Oh interesting. You have to put even the property names in quotes.
Next error:
Error parsing parameter '--change-batch': Invalid JSON: Expecting ',' delimiter: line 13 column 1 (char 273)Scrutinizing the examples, it seems I am missing a few things:
But even with that I still get an error:
Error parsing parameter '--change-batch': Invalid JSON: Expecting ',' delimiter: line 13 column 1 (char 286)I’m guessing I need separate NS values for each NS record. Let’s try this instead:
Which produces this:
Once again I’m making use of sed quite a bit here.
After spending way too long sorting out open and curly braces in all the right posistions I got another typo error and this:
Invalid type for parameter ChangeBatch.Changes[0].ResourceRecordSet.TTL, value: 3600, type: <class 'str'>, valid types: <class 'int'>So I had to remove the quotes from the TTL value.
FINALLY.
After all that I got my DNS records set up.
I don’t see how anyone could not prefer CloudFormation after going through all that. I think you will find it is easier. I’ll cover that later for other types of records. For now, we have NS records for a subdomain on our primary domain. I can insert this function temporarily into my script for a static website but it’s not the long term solution.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab