Does AWS Route53 support ACL to limit TXT records to public

Question

Does AWS Route53 DNS support any kind of proprietary access list (ACL) to limit some DNS records (TXT records) to the public, but still keep those TXT records reachable from within AWS account?

I know DNS server's intention is to expose all DNS records to public, but some TXT records could be too revealing about implementation.

Example: Kubernetes "external DNS controller" which creates A-records and adds the TXT records. DNS controller relies on "owner" attribute in TXT record to determine if it allows making changes to that record, so TXT records can't be removed entirely.

service-a.example.com. A   192.0.2.4
service-a.example.com. TXT "heritage=external-dns,external-dns/owner=eks/my-eks-cluster,external-dns/resource=service/test/my-svc2"

Answer 1

R53 offers private hosted zones that you can associated with your VPCs so that internal traffic can add/updated/resolve records while keeping this information private. Perhaps you can leverage a private hosted zone for DNS that needs to remain internal.

Answer 2

I guess I found the answer myself...

Yes, I am aware of private zones in Route53, but honestly I am trying to avoid them because it is impossible to request AWS SSL cert for private zone unless you also run AWS Private CA (which is expensive). Second, you would need to adjust "split DNS" on your VPN server which often is not fully automated, so public DNS zone is much preferred.

Yes, I realize that filtering DNS records by type is an anti-pattern for DNS as a concept, so it is probably not implemented anywhere.

The solution based on AWS route53 could be the following:

• create public DNS zone via aws servicediscovery create-public-dns-namespace
• run Kubernetes externalDNS controller with --provider=aws-sd

In that case the externalDNS controller will register Kubernetes service/ingress in AWS Service Discovery, where it will store the "description" record that shows your internal implementation. At the same time, the public DNS zone will only contain A-record which is pretty harmless.

In that case it is possible to register your Private& Public Ingresses/ALBs in the same public DNS zone, like this:

• pub-svc1.my.domain
• pub-svc1.private.my.domain

That way all VPN clients would be able to resolve both types of names - no need for extra Private DNS zone nor for extra "split DNS" VPN configuration; plus you could request public SSL certs via AWS for your *.private.my.domain.