Panfactum LogoPanfactum
NetworkingSubdomain Delegation

Subdomain Delegation

Subdomain delegation is the process of setting up discrete DNS servers to handle the records for a particular subdomain rather than having all records handled by a single DNS servers.

This is accomplished by setting up NS records in the parent DNS server that point to the IP addresses of the child DNS server.

Motivation

We believe subdomain delegation is worth the added complexity for the following reasons:

  1. It isolates the blast-radius during DNS testing. Mistakes in configuration can now only impact one subdomain instead of potentially taking out your entire DNS infrastructure. Given how central DNS is for an organization (all their websites, email capabilities, and even access to third-party service providers) and how easy it is to misconfigure, this is an incredibly important safety guard.

  2. This better aligns permissions with environment boundaries. You can now give access to users and services to mutate records under a particular subdomain without giving them total access to your entire DNS infrastructure.

AWS Example

AWS NAT Diagram

Here are the important notes:

  • In AWS, the DNS Server is represented by a delegation set which is actually a set of four mirrored nameservers.

  • The DNS zone is represented by a Route53 hosted zone which is identified by its apex / root domain name.

  • When you register a domain with AWS, that "registers" the nameservers of your production account's DNS servers as the authoritative name servers for that root domain. This means that this name server is the source of truth for all records under this root domain.

  • When you create subdomain hosted zones in other accounts, you can manually register the nameservers for this account as the authoritative nameservers for this subdomain. You do this by creating NS records in the parent zone that point to the nameservers for this account.

  • When you query a delegated domain name (i.e., dig test.dev.panfactum.com), the resolution process works as follows: 1

    • Check the .com TLD for the nameservers of panfactum.com.

    • Check the nameservers for panfactum.com (in the production account) for the A record test.dev.panfactum.com. Notice that there are NS records delegating dev.panfactum.com to another nameserver (in the development account).

    • Check the nameservers for dev.panfactum.com for the A record test.dev.panfactum.com. Notice that this record exists. Return the associated IP address.

Footnotes

  1. This is simplified process. For a more complete overview, we recommend this video.