Hacking The AWS:EC2 Load Balancing Service Zone Apex CNAME Restriction w/ Win2k3 and Unbound

By M. David Peterson
June 16, 2009

I assume that many of you who may have interest in Amazon Web Services and, in particular, their EC2 Load Balancing, Auto Scaling, and CloudWatch services, will likely only visit the support forums on an as-needed basis. As such, I thought it best to post a reprint of a post I made earlier this morning to the EC2 forums that provides a solution -- if not a temporary bandaid to tide you over until direct support from AWS arrives -- to the current inability to load balance the zone apex (e.g. example.com represents the zone apex where as www.example.com represents the 'www' sub-domain of the zone apex) of a given domain due to the RFC-based restrictions on using CNAME's for the zone apex.

To better understand the overall problem and to read Amazon's official response, you can visit the ELB CNAME thread from a few weeks back. And in the mean time, for those of you interested in the AWS EC2 Load Balancing, Auto Scaling, and CloudWatch services but are unable to take advantage of them due to the current zone apex CNAME restriction, the following info will help get you up and running and doing just that.

[Original EC2 Forum Post]
So I've known about this capability since the issue of the zone apex restriction first came up in the forums during the LBS private beta, but have held back from publishing it for a couple of reasons:

  1. A standards compliant DNS server /SHOULDN'T/ support this, even though I'm glad it does.
  2. The pressure on AWS to deliver the ability to load balance the zone apex is stronger when customers are choosing not to use the service because of this restriction.

But the fact of the matter is that having the capability to use the LBS service, and therefore the monitoring and auto-scaling services, opens up a lot of doors for a lot of folks as far as being able to manage their virtual EC2 networks more efficiently. It's because of this that I present the following hack to using LBS to load balance the zone apex of a given domain (e.g. example.com instead of www.example.com) while AWS get's their ducks in a row and provides a better overall solution to the problem at hand.

Firstly: This requires you have a Win2k+ server available to run as a DNS server. A Win2k3 based EC2 AMI will work just fine, so if you don't have your own Win2k+ server then you'll need to launch a Win2k3-based AMI and install the DNS service.

NOTE: If you've never setup a Win2k+ DNS server and you need help, please consult your favorite search provider or the standard documentation on MSDN. In the case of an EC2-based Win2k3 server, you'll need to search the AWS site to find out how to make a snapshot of the EBS volume that contains the Win2k3 setup files and then mount that EBS drive on a running instance of Win2k3 before preceding with the setup.

With a properly setup and running Win2k+ DNS service, you simply create a new domain, set it up as you normally would, but instead of creating an A record entry for the zone apex, create a CNAME entry and then point it at an LBS CNAME end point you've created. If you haven't already created one, obviously you'll need to do that first, but again, I'll leave it to existing documentation and forum entries to explain how to go about creating a new LBS end point.

The end result of this process will look something similar to: http://m.david.s3.amazonaws.com/screen-shots/W2k3-DNS-CNAME-Zone-Apex-Hack.png

Of course, you'll need more than one DNS server on hand to handle your DNS queries and in this regard if you'd prefer not to use another Win2k+ server I would recommend the use of the Unbound recursive DNS server: http://www.unbound.net/ < It's open source and /BLAZING/ fast. And because it's not an authoritative server, it's not breaking any DNS spec rules by querying the authoritative Win2k+ server and asking for it to resolve a given request for the A record of the apex of a given domain.

You can also run it on both Windows and Unix which means your second DNS server sitting in either another availability zone or some other location on the planet won't require an additional Win2k+ license, or in the case of an EC2 Win2k3 instance, an additional $0.025 cents per hour.

You'll need to consult the Unbound documentation to determine how to build, install, and configure the Unbound DNS server to get it up and running the way you want. But once you've done that, getting it to respond to queries for the A record for any given domain is pretty straight forward: Append the following to the end of the config file for each domain you want Unbound to return queries for:

        name: "nuxleus.com"

Obviously you'll want to replace nuxleus.com and the IP address to your own domain and the IP of your own Win2k+ DNS server. Once you're done adding all your domains, startup the server and then run an A record DNS query for one of the domains you just configured using dig or nslookup or host, referencing the locally running Unbound DNS server:

$ unbound-control start
$ dig A nuxleus.com @localhost

The end result of the above query? A properly resolved IP of the LBS CNAME entry configured on the Win2k+ DNS server:

; <<>> DiG 9.5.0-P2 <<>> a nuxleus.com @localhost
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48799
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;nuxleus.com. IN A

nuxleus.com. 3600 IN CNAME nuxleus-lb-2013079591.us-east-1.elb.amazonaws.com.
nuxleus-lb-2013079591.us-east-1.elb.amazonaws.com. 60 IN A

;; Query time: 722 msec
;; WHEN: Tue Jun 16 08:13:23 2009
;; MSG SIZE rcvd: 10

That's it.


You might also be interested in:

News Topics

Recommended for You

Got a Question?