VPN VPC 中的 DNS 名称
[英]DNS names within VPN VPC
问题描述
We can connect to our AWS EC2 only from within the company VPN.
我们只能从公司 VPN 内部连接到我们的 AWS EC2。 I made a request to create DNS names for the servers.我请求为服务器创建 DNS 名称。 This would be made using AWS Route 53.这将使用 AWS Route 53 进行。
The operations team says that having a DNS name is a security risk and the explanation is "Names are easy to guess compared to IP addresses" "setting up a DNS for a sever in the public zone directly exposes the servers origin IP and opens up a potential to the DDOS attacks as well as subnet vulnerability"运营团队表示,拥有 DNS 名称存在安全风险,解释是“与 IP 地址相比,名称更容易猜到”“在公共区域为服务器设置 DNS 会直接暴露服务器的原始 IP 并打开一个潜在的 DDOS 攻击以及子网漏洞”
The servers are not exposed outside our VPN.服务器不会暴露在我们的 VPN 之外。 We have separate AWS accounts for different teams and public zone here refers to a different team.我们为不同的团队设置了单独的 AWS 账户,这里的公共区域是指不同的团队。
Does the operations team have valid argument.运营团队是否有有效的论据。
1 个解决方案
解决方案1
2 已采纳 2020-03-28 22:52:52
You should create a Route 53 Private Hosted Zone so the DNS name can't be resolved publicly.您应该创建一个 Route 53私有托管区域,以便无法公开解析 DNS 名称。
You then need to configure the DNS server in the office to incorporate DNS responses from Route 53 by using a forwarder .然后,您需要在办公室中配置 DNS 服务器,以使用转发器合并来自 Route 53 的 DNS 响应。
I don't know the full details, but here's some articles that should help:我不知道完整的细节,但这里有一些文章应该会有所帮助:
- Resolving DNS Queries Between VPCs and Your Network - Amazon Route 53 解析 VPC 和您的网络之间的 DNS 查询 - Amazon Route 53
- Resolve a Private Hosted Zone over VPN with Directory Service 使用目录服务通过 VPN 解析私有托管区域
- Use an Inbound Endpoint to Resolve Records in a Private Hosted Zone From a Remote Network 使用入站端点从远程网络解析私有托管区域中的记录
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.