dnswatchdog.iodocs
Provider Configuration

AWS Route53

Connecting AWS Route53 as a DNS provider in DNS Watchdog.

Overview

Amazon Route53 is AWS's DNS web service. DNS Watchdog connects via a cross-account IAM role to discover hosted zones and sync records. This approach avoids long-lived access keys and follows AWS security best practices.

Prerequisites

You'll need the following to connect Route53 to DNS Watchdog:

FieldDescription
Role ARNThe ARN of the IAM role created in your AWS account
External IDAuto-generated by DNS Watchdog to prevent confused deputy attacks

The External ID is provided by DNS Watchdog when you start the provider setup — you'll use it when creating the IAM role trust policy.

External ID

The External ID is automatically generated by DNS Watchdog. To get it:

  1. In DNS Watchdog, go to SettingsProvidersAdd Provider
  2. Select AWS Route53 as the provider type
  3. The wizard will display your unique External ID

Keep this value handy — you'll need it when creating the trust policy for your IAM role.

Creating an IAM Policy (Permissions)

Before creating the role, you need a policy that defines what DNS Watchdog can access.

  1. In the AWS Console, go to IAMPoliciesCreate policy
  2. Select the JSON tab
  3. Paste one of the policies below (depending on your access needs)
  4. Click Next, name it something like DNSWatchdogRoute53Access
  5. Click Create policy

Save the policy JSON to a file (e.g. permission-policy.json), then run:

aws iam create-policy \
  --policy-name DNSWatchdogRoute53Access \
  --policy-document file://permission-policy.json

Note the Policy ARN from the output — you'll need it when attaching the policy to the role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "route53:ListHostedZones",
        "route53:ListResourceRecordSets",
        "route53:GetHostedZone",
        "route53:ListTagsForResource"
      ],
      "Resource": "*"
    }
  ]
}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "route53:ListHostedZones",
        "route53:ListResourceRecordSets",
        "route53:GetHostedZone",
        "route53:ListTagsForResource",
        "route53:ChangeResourceRecordSets"
      ],
      "Resource": "*"
    }
  ]
}

Creating an IAM Role (Role ARN)

The IAM role allows DNS Watchdog to access your account using cross-account role assumption. The trust policy includes your External ID to prevent confused deputy attacks.

  1. In the AWS Console, go to IAMRolesCreate role
  2. Select Custom trust policy as the trusted entity type
  3. Paste the trust policy JSON below, replacing <YOUR_EXTERNAL_ID> with the value from the DNS Watchdog wizard
  4. Click Next
  5. Search for and attach the DNSWatchdogRoute53Access policy you created earlier
  6. Click Next, name the role (e.g. DNSWatchdogRoute53Role)
  7. Click Create role
  8. Open the role and copy the Role ARN from the top of the page — you'll enter this in DNS Watchdog

Save the trust policy JSON below to a file (e.g. trust-policy.json), replacing the placeholders, then run:

# Create the role with the custom trust policy
aws iam create-role \
  --role-name DNSWatchdogRoute53Role \
  --assume-role-policy-document file://trust-policy.json

# Attach the permission policy to the role
aws iam attach-role-policy \
  --role-name DNSWatchdogRoute53Role \
  --policy-arn arn:aws:iam::<YOUR_ACCOUNT_ID>:policy/DNSWatchdogRoute53Access

The Role ARN is in the output of the create-role command. To look it up later:

aws iam get-role --role-name DNSWatchdogRoute53Role --query "Role.Arn" --output text

The trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::241415060835:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<YOUR_EXTERNAL_ID>"
        }
      }
    }
  ]
}

Adding the Provider in DNS Watchdog

  1. Go to SettingsProvidersAdd Provider
  2. Select AWS Route53 as the provider type
  3. Enter a name for the provider (e.g. "Production Route53")
  4. Choose whether the provider should be Read-Only or Read-Write
  5. Paste the Role ARN from the IAM role you created
  6. Click Test & Save to verify the connection

DNS Watchdog will assume the role and confirm it can access your hosted zones.

Permissions

  • Read-only — use the read-only policy (list and get operations only)
  • Read-write — use the read-write policy (adds ChangeResourceRecordSets for record management)

Provider Overview

How DNS providers work in DNS Watchdog.

Cloudflare

Connecting Cloudflare as a DNS provider in DNS Watchdog.

On this page

OverviewPrerequisitesExternal IDCreating an IAM Policy (Permissions)Creating an IAM Role (Role ARN)Adding the Provider in DNS WatchdogPermissions