How to retrieve DNS records for a specific domain in AWS Route 53 via PowerShell

Ondrej Sebela's photo
Ondrej Sebela

Published on May 28, 2021

3 min read

Subscribe to my newsletter and never miss my upcoming articles

To be able to retrieve DNS records from AWS, you need 3 things:

  • AWS user account that has permissions to READ such DNS zone
  • DNS zone ID
  • Powershell function that will give you the results

Create a user account

Login to AWS and create a new user account in AWS IAM

image.png


Create a Security policy

This policy will grant members rights to READ data for selected DNS zone In IAM you create new policy: image.png

  • This policy needs to grant following permissions: image.png
  • You can find Hosted Zone ID for Resources restriction like image.png

Assign created policy to the user

image.png


Use PowerShell function to retrieve the results

Now when you have the user account that can be used to retrieve DNS data from AWS, use it in bellow Get-AWSDNSZoneRecord function with domainZoneID retrieved earlier

function Get-AWSDNSZoneRecord {
    <#
    .SYNOPSIS
    Function will return DNS records for given DNS zone hosted in AWS.

    .DESCRIPTION
    Function will return DNS records for given DNS zone hosted in AWS.

    .PARAMETER domainZoneID
    Zone ID.

    .PARAMETER credential
    Credentials for user that has read permission on given DNZ zone.

    .EXAMPLE
    Get-AWSDNSZoneRecord -domainZoneID Z019043928439
    #>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [string] $domainZoneID
        ,
        [Parameter(Mandatory = $true)]
        [System.Management.Automation.PSCredential] $credential
    )

    try {
        Import-Module AWS.Tools.Common -ea stop
        Import-Module AWS.Tools.Route53 -ea stop
    } catch {
        throw "Important module is missing (AWS.Tools.Common or AWS.Tools.Route53). To download this modules use:`n`n
    Install-Module -Name AWS.Tools.Installer -Force
    Install-AWSToolsModule AWS.Tools.Common,AWS.Tools.Route53 -CleanUp"
    }

    $accessKey = $credential.UserName
    $secretKey = $credential.GetNetworkCredential().password

    Set-AWSCredential -AccessKey $accessKey -SecretKey $secretKey

    # because results are returned by 100 items, you have to iterate (there is maxItem parameter but is limited to 300)
    # https://forums.aws.amazon.com/message.jspa?messageID=463427
    $nextIdentifier = $null
    $nextType = $null
    $nextName = $null

    [System.Collections.ArrayList] $result = @()

    do {
        $recordSet = Get-R53ResourceRecordSet -HostedZoneId "/hostedzone/$domainZoneID" -StartRecordIdentifier $nextIdentifier -StartRecordName $nextName -StartRecordType $nextType

        $recordSet.ResourceRecordSets | select @{n = "name"; e = { $name = $_.name; if ([string]::IsNullOrEmpty($name)) { "@" } else { $name } } }, type , @{n = "value"; e = { $_.ResourceRecords.value } } | % {
            $name = $_.name
            $type = $_.type
            if ($_.value.getType().name -ne "String") {
                # for each value create separate object
                $_.value | % {
                    [void] $result.add(
                        [PSCustomObject]@{
                            name  = $name
                            type  = $type
                            value = $_
                        }
                    )
                }
            } else {
                # value is string, there is no need to expand it
                [void] $result.add(
                    [PSCustomObject]@{
                        name  = $name
                        type  = $type
                        value = $_.value
                    }
                )
            }
        }

        # set up for the next call
        if ($recordSet.IsTruncated) {
            $nextIdentifier = $recordSet.NextRecordIdentifier
            $nextType = $recordSet.NextRecordType
            $nextName = $recordSet.NextRecordName
        }
    } while ($recordSet.IsTruncated)

    return $result
}

Get-AWSDNSZoneRecord -domainZoneID 'Z01whatever'

Similar approach can be used to retrieve any information from AWS.

Did you find this article valuable?

Support Ondrej Sebela by becoming a sponsor. Any amount is appreciated!

Learn more about Hashnode Sponsors
 
Share this