Reverse DNS Zones With AWS Simple AD

Consider a fairly complex design of a DNS service in AWS cloud: one that includes native AWS Route 53, AWS Simple AD and traditional BIND service running on EC2 instances to cater to different needs of development and production environments in terms of serving DNS requests and providing directory services.

All EC2 hosts in one of your production VPCs are pointed to Simple AD DNS servers that are your primary DNS servers for this VPC and associated subnets.

You need to configure reverse DNS lookups to be able to resolve PTR records by using the DNS service provided by the Simple AD. Additionally, you would like to manage PTR records using command line interface from one of the EC2 instances running Linux in the same VPC.

That's probably mind-boggling enough already if you don't work with DNS and Active Directory on a daily basis.

On top of that, there's a hard requirement:

You can't cheat your way out of this by using the friendly AWS Management Console to create and edit a Route 53 hosted zone.

So, how does one configure reverse DNS lookups when using Simple AD DNS service? You need an EC2 host running Linux that can talk to Simple AD DNS servers and tools to query and modify DNS configuration.

Repurpose or designate an existing, suitable EC2 instance as Simple AD control host. Alternatively, provision a dedicated EC2 instance.

To keep this discussion focused on managing DNS zones, we'll assume you opted for the latter and that you also have Simple AD already provisioned.

Once the new EC2 instance is up and running it needs to be configured.

Note: All commands and configuration examples were tested on Debian GNU/Linux 9.13 (stretch).

Set a hostname and configure /etc/hosts.

$ sudo hostnamectl set-hostname sadch
$ cat /etc/hosts
127.0.1.1 sadch.yourcompany.com sadch

Install ntpdate and sync the system clock against Simple AD.

$ sudo apt-get install ntpdate
$ sudo ntpdate -q sad.yourcompany.com
$ sudo ntpdate sad.yourcompany.com

Install samba-tool and Kerberos authentication tools.

$ sudo apt-get install krb5-config krb5-user samba-common-bin

On a Debian-based system a curses dialog will be presented to configure Kerberos realm. Enter SAD.YOURCOMPANY.COM (use upper case) for the default Kerberos realm.

If asked to provide Kerberos servers for the realm and administrative server for your Kerberos realm, enter sad.yourcompany.com (use lower case) as answers to both questions.

With Kerberos installed and configured, obtain and cache an initial ticket-granting ticket.

$ kinit Administrator
Password for Administrator@SAD.YOURCOMPANY.COM:

Here Administrator is Simple AD administrator account.

Review results of the kinit command.

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Administrator@SAD.YOURCOMPANY.COM
Valid starting  Expires Service principal
03/18/2021 02:48:09 03/19/2021 02:48:01 krbtgt/SAD.YOURCOMPANY.COM@SAD.YOURCOMPANY.COM

You're now all set up and ready to work with Simple AD DNS.

To start, inspect zones that are controlled by Simple AD DNS servers.

$ samba-tool dns zonelist sad.yourcompany.com
Password for [Administrator@SAD.YOURCOMPANY.COM]:
3 zone(s) found
pszZoneName  : sad.yourcompany.com
Flags  : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version  : 50
dwDpFlags  : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn  : DomainDnsZones.sad.yourcompany.com
pszZoneName  : 0.20.in-addr.arpa
Flags  : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version  : 50
dwDpFlags  : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn  : DomainDnsZones.sad.yourcompany.com
pszZoneName  : _msdcs.sad.yourcompany.com
Flags  : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version  : 50
dwDpFlags  : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn  : ForestDnsZones.sad.yourcompany.com

In this example, in the output for the zonelist command we can see that reverse lookup zone 0.20.in-addr.arpa is controlled by Simple AD DNS servers.

By default Simple AD is configured to forward DNS requests to the IP address of the Amazon-provided DNS servers for your VPC. That is, unless it can find an answer to a request in the zones that it controls.

The Amazon-provided DNS server for your VPC is at IP address plus two of the subnet associated with the VPC. For example, if your subnet is 20.0.0.0/20 the IP address of Amazon-provided DNS server will be 20.0.0.2/32.

Your Simple AD DNS IP address can be found by looking up DHCP Options Set settings for your VPC via AWS Management Console or by running the following command from our control host. This command returns the contents of the sad.yourcompany.com zone.

$ samba-tool dns query sad.yourcompany.com sad.yourcompany.com @ ALL
Password for [Administrator@SAD.YOURCOMPANY.COM]:
Name=, Records=4, Children=0
SOA: serial=14, refresh=900, retry=600, expire=86400, minttl=3600, ns=aws-d6b6cbbea6.sad.yourcompany.com., email=hostmaster.sad.yourcompany.com. (flags=600000f0, serial=14, ttl=3600)
NS: aws-d6b6cbbea6.sad.yourcompany.com. (flags=600000f0, serial=110, ttl=900)
A: 20.0.140.45 (flags=600000f0, serial=110, ttl=900)
A: 20.0.15.59 (flags=600000f0, serial=14, ttl=900)
Name=_msdcs, Records=0, Children=0
Name=_sites, Records=0, Children=1
Name=_tcp, Records=0, Children=4
Name=_udp, Records=0, Children=2
Name=aws-30c24aad3c, Records=1, Children=0
A: 20.0.15.59 (flags=f0, serial=13, ttl=900)
Name=aws-d6b6cbbea6, Records=1, Children=0
A: 20.0.140.45 (flags=f0, serial=7, ttl=900)
Name=aws-d6b6cbbea6 
CNF:e3c7611e-509f-4030-8751-ad8567d59928, Records=1, Children=0
A: 20.0.140.45 (flags=f0, serial=7, ttl=900)
Name=DomainDnsZones, Records=0, Children=2
Name=EC2AMAZ-C5RBOM0, Records=1, Children=0
A: 20.0.7.86 (flags=f0, serial=110, ttl=1200)
Name=ForestDnsZones, Records=0, Children=2

Here we can see NS and A records for the DNS servers that resolve to 20.0.140.45 and 20.0.15.59.

Now, if we add a PTR record for our Simple AD control host, we will be able to resolve it from any EC2 host in this production VPC. Note the reverse order for specifying an IP address.

$ samba-tool dns add sad.yourcompany.com 0.20.in-addr.arpa 117.15 PTR sadch.yourcompany.com

By running the following dig command from any EC2 host that is pointed to Simple AD DNS servers we can confirm that reverse lookups work correctly.

$ dig -x 20.0.15.117
; <<>> DiG 9.9.5-9+deb8u14-Debian <<>> -x 20.0.15.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12449
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;117.15.0.20.in-addr.arpa. IN PTR
;; ANSWER SECTION:
117.15.0.20.in-addr.arpa. 900  IN PTR  sadch.yourcompany.com.
;; AUTHORITY SECTION:
0.20.in-addr.arpa. 3600 IN SOA  aws-d2b1cbbea6.sad.yourcompany.com. hostmaster.sad.yourcompany.com. 109 900 600 86400 3600
;; Query time: 1 msec
;; SERVER: 20.0.140.45#53(20.0.140.45)
;; WHEN: Thu Mar 18 10:20:22 UTC 2021
;; MSG SIZE rcvd: 141

However, in this particular setup A record for sadch.yourcompany.com does not exist in any of the zones controlled by the Simple AD DNS. If you make a request to resolve this domain name to an IP address it will be forwarded to AWS Route 53 service and resolved via Amazon-provided DNS and not the DNS service of Simple AD. Even though dig output may lead you to believe otherwise.

$ dig sadch.yourcompany.com
; <<>> DiG 9.9.5-9+deb8u14-Debian <<>> sadch.yourcompany.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16482
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sadch.yourcompany.com. IN A
;; ANSWER SECTION:
sadch.yourcompany.com.  60 IN A  20.0.15.117
;; Query time: 3 msec
;; SERVER: 20.0.140.45#53(20.0.140.45)
;; WHEN: Thu Mar 18 10:29:24 UTC 2021
;; MSG SIZE rcvd: 65

Note "SERVER: 20.0.140.45#53(20.0.140.45)" which tells us that the answer came from one of Simple AD DNS servers. In reality, the answer was provided by Route 53.

This is crucial to understand if you want to use both AWS Route 53 and Simple AD DNS services in your environment. In a way, Route 53 acts as a backup DNS service when Simple AD DNS fails to resolve a domain name or do a reverse IP lookup.

You could exploit this default behavior and configure a reverse lookup zone as a Route 53 hosted zone. If the reverse lookup zone exists only in Route 53, Simple AD DNS will forward your request to Route 53.

$ dig @20.0.0.2 -x 20.0.15.117 
; <<>> DiG 9.10.3-P4-Debian <<>> @20.0.0.2 -x 20.0.15.117 
; (1 server found) 
;; global options: +cmd  
;; Got answer: 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14010  
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1  
;; OPT PSEUDOSECTION: 
; EDNS: version: 0, flags:; udp: 4096 
;; QUESTION SECTION: 
;117.15.0.20.in-addr.arpa. IN PTR  
;; ANSWER SECTION:  
117.15.0.20.in-addr.arpa. 4  IN PTR  sadch.yourcompany.com.  
;; Query time: 0 msec  
;; SERVER: 20.0.0.2#53(20.0.0.2) 
;; WHEN: Thu Mar 18 01:31:08 EST 2021 
;; MSG SIZE rcvd: 87

Note "SERVER: 20.0.0.2#53(20.0.0.2)" which tells us that an Amazon-provided DNS (Route 53) successfully performed a reverse DNS lookup. This doesn't happen automagically. A reverse zone should exist in Route 53 configuration and contain a relevant PTR record.

Now, let's step back for a moment and assume that you would like to configure and manage a reverse lookup zone controlled by a Simple AD DNS service.

We already know how to list and examine zones.

To create a new zone run:

$ samba-tool dns zonecreate sad.yourcompany.com 168.172.in-addr.arpa
Password for [Administrator@SAD.YOURCOMPANY.COM]:
Zone 168.172.in-addr.arpa created successfully

To add a new PTR record to the 0.20.in-addr.arpa reverse lookup zone from earlier examples:

$ samba-tool dns add sad.yourcompany.com 0.20.in-addr.arpa 117.15 PTR sadch.yourcompany.com
Password for [Administrator@SAD.YOURCOMPANY.COM]:
Record added successfully

To examine a single record:

$ samba-tool dns query sad.yourcompany.com 0.20.in-addr.arpa 117.15 ALL
Password for [Administrator@SAD.YOURCOMPANY.COM]:
Name=, Records=1, Children=0
PTR: sadch.yourcompany.com (flags=f0, serial=110, ttl=900)

To show all records in a reverse lookup zone:

$ samba-tool dns query sad.yourcompany.com 0.20.in-addr.arpa @ ALL
Password for [Administrator@SAD.YOURCOMPANY.COM]:
Name=, Records=2, Children=0
SOA: serial=110, refresh=900, retry=600, expire=86400, minttl=3600, ns=aws-d6b6cbbea6.sad.yourcompany.com., email=hostmaster.sad.yourcompany.com. (flags=600000f0, serial=110, ttl=3600)
NS: aws-d6b6cbbea6.sad.yourcompany.com. (flags=600000f0, serial=1, ttl=3600)
Name=0, Records=0, Children=34
Name=112, Records=0, Children=1
Name=128, Records=0, Children=22
Name=140, Records=0, Children=1
Name=15, Records=0, Children=2
Name=176, Records=0, Children=3
Name=48, Records=0, Children=4
Name=64, Records=0, Children=24

To show a subset of records:

$ samba-tool dns query sad.yourcompany.com 0.20.in-addr.arpa 15 ALL
Password for [Administrator@SAD.YOURCOMPANY.COM]:
Name=, Records=0, Children=0
Name=117, Records=1, Children=0
PTR: sadch.yourcompany.com (flags=f0, serial=110, ttl=900)
Name=59, Records=1, Children=0
PTR: AWS-30C24AAD3C.SAD.YOURCOMPANY.COM (flags=f0, serial=9, ttl=900)

To delete a record:

$ samba-tool dns delete sad.yourcompany.com 0.20.in-addr.arpa 117.15 PTR sadch.yourcompany.com
Password for [Administrator@SAD.YOURCOMPANY.COM]:
Record deleted successfully


To learn more about your Simple AD server run:

$ samba-tool dns serverinfo sad.yourcompany.com
Password for [Administrator@SAD.YOURCOMPANY.COM]:
dwVersion  : 0xece0205
fBootMethod  : DNS_BOOT_METHOD_DIRECTORY
fAdminConfigured : FALSE
fAllowUpdate : TRUE
fDsAvailable : TRUE
pszServerName  : AWS-30C24AAD3C.sad.yourcompany.com
pszDsContainer : CN=MicrosoftDNS,DC=DomainDnsZones,DC=sad,DC=yourcompany,DC=com
aipServerAddrs : ['127.0.0.1', '20.0.15.59']
aipListenAddrs : ['127.0.0.1', '20.0.15.59']
aipForwarders  : []
dwLogLevel : 0
dwDebugLevel : 0
dwForwardTimeout : 3
dwRpcPrototol  : 0x5
dwNameCheckFlag  : DNS_ALLOW_MULTIBYTE_NAMES
cAddressAnswerLimit  : 0
dwRecursionRetry : 3
dwRecursionTimeout : 8
dwMaxCacheTtl  : 86400
dwDsPollingInterval  : 180
dwScavengingInterval : 0
dwDefaultRefreshInterval : 168
dwDefaultNoRefreshInterval : 168
fAutoReverseZones  : FALSE
fAutoCacheUpdate : FALSE
fRecurseAfterForwarding  : FALSE
fForwardDelegations  : TRUE
fNoRecursion : FALSE
fSecureResponses : FALSE
fRoundRobin  : TRUE
fLocalNetPriority  : FALSE
fBindSecondaries : FALSE
fWriteAuthorityNs  : FALSE
fStrictFileParsing : FALSE
fLooseWildcarding  : FALSE
fDefaultAgingState : FALSE
dwRpcStructureVersion  : 0x2
aipLogFilter : []
pwszLogFilePath  : None
pszDomainName  : sad.yourcompany.com
pszForestName  : sad.yourcompany.com
pszDomainDirectoryPartition : DC=DomainDnsZones,DC=sad,DC=yourcompany,DC=com
pszForestDirectoryPartition : DC=ForestDnsZones,DC=sad,DC=yourcompany,DC=com
dwLocalNetPriorityNetMask  : 0xff
dwLastScavengeTime : 0
dwEventLogLevel  : 4
dwLogFileMaxSize : 0
dwDsForestVersion  : 4
dwDsDomainVersion  : 4
dwDsDsaVersion : 4
fReadOnlyDC  : FALSE

To see more information about a zone run:

$ samba-tool dns zoneinfo sad.yourcompany.com 0.20.in-addr.arpa
Password for [Administrator@SAD.YOURCOMPANY.COM]:
pszZoneName  : 0.20.in-addr.arpa
dwZoneType : DNS_ZONE_TYPE_PRIMARY
fReverse : TRUE
fAllowUpdate : DNS_ZONE_UPDATE_SECURE
fPaused  : FALSE
fShutdown  : FALSE
fAutoCreated : FALSE
fUseDatabase : TRUE
pszDataFile  : None
aipMasters : []
fSecureSecondaries : DNS_ZONE_SECSECURE_NO_XFER
fNotifyLevel : DNS_ZONE_NOTIFY_LIST_ONLY
aipSecondaries : []
aipNotify  : []
fUseWins : FALSE
fUseNbstat : FALSE
fAging : FALSE
dwNoRefreshInterval  : 168
dwRefreshInterval  : 168
dwAvailForScavengeTime : 0
aipScavengeServers : []
dwRpcStructureVersion  : 0x2
dwForwarderTimeout : 0
fForwarderSlave  : 0
aipLocalMasters  : []
dwDpFlags  : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn  : DomainDnsZones.sad.yourcompany.com
pwszZoneDn : DC=0.20.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=sad,DC=yourcompany,DC=com
dwLastSuccessfulSoaCheck : 0
dwLastSuccessfulXfr  : 0
fQueuedForBackgroundLoad : FALSE
fBackgroundLoadInProgress  : FALSE
fReadOnlyZone  : FALSE
dwLastXfrAttempt : 0
dwLastXfrResult  : 0

This should help you hit the ground running.

Whether you prefer to create your reverse lookup zones as Route 53 hosted zones or Simple AD DNS zones, or maintain zones in both DNS services the technical ability is there.

Normally, you probably wouldn't want to set up your DNS this way but understanding how Simple AD and Route 53 work when both are deployed alongside each other is crucial and can help you save a lot of time when you venture to build a more complex DNS system in your cloud.

At Command Prompt, Inc. we champion Linux and Open Source solutions but if these tools don't float your boat, know that you could set up a Windows-based Simple AD control host and do the same from the comfort of a graphical user interface.

If you have any questions don't hesitate to contact us.

We'll be thrilled to help!