DNS Setting Causing Conflicts with VPC Endpoint DNS

[David Jenniex]

I'm not sure when this DNS change happened, but it appears that the api.globalgiving.org is a CNAME alias to *.execute-api.us-east-1.amazonaws.com. 

$ dig nssearch api.globalgiving.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> nssearch api.globalgiving.org

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4411

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;nssearch. IN A

;; AUTHORITY SECTION:

. 3092 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2021010402 1800 900 604800 86400

;; Query time: 2 msec

;; SERVER: 10.20.0.2#53(10.20.0.2)

;; WHEN: Mon Jan 04 20:58:15 UTC 2021

;; MSG SIZE  rcvd: 101

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 667

;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;api.globalgiving.org. IN A

;; ANSWER SECTION:

api.globalgiving.org. 300 IN CNAME api.cl.globalgiving.org.

api.cl.globalgiving.org. 300 IN CNAME d-y2vmccgpg2.execute-api.us-east-1.amazonaws.com.

d-y2vmccgpg2.execute-api.us-east-1.amazonaws.com. 60 IN A 50.17.113.194

d-y2vmccgpg2.execute-api.us-east-1.amazonaws.com. 60 IN A 34.196.158.37

d-y2vmccgpg2.execute-api.us-east-1.amazonaws.com. 60 IN A 3.224.142.13

This has created issues when our EC2 instance calls api.globalgiving.org, since we have a VPC endpoint setup for our own internal API Gateway which has a private DNS entry for *.execute-api.us-east-1.amazonaws.com.

The 2 issues this is creating are:

1. All calls to api.globalgiving.org are now being routed to our private API Gateway.
2. Since it's using API Gateways via the VPC Endpoint, the SSL certificate errors out.

Am I missing something about why you are using CNAME instead of A records?

Thanks for any help or guidance you could provide on this issue.

[Kevin Conroy]

Hi David,

This change happened in May 2020 and this is the first report of any issues with it that we've received. We'll look into it further and see what changes are possible to make to support this use case. Is this impacting a production environment? (If you need you, you can send me details directly at kco...@globalgiving.org)

Thanks,

Kevin

Kevin Conroy
Chief Product Officer
____

--
You received this message because you are subscribed to the Google Groups "GlobalGiving API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to globalgiving-a...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/globalgiving-api/2d30df27-2a95-457c-9af5-314b1c08f18fn%40googlegroups.com.