fast, easy, and slightly dangerous recursive deletion of a domain’s DNS
Amazon Route 53 currently charges $0.50/month per hosted zone for your first 25 domains, and $0.10/month for additional hosted zones, even if they are not getting any DNS requests. I recently stopped using Route 53 to serve DNS for 25 domains and wanted to save on the $150/year these were costing.
Amazon’s instructions for using the Route 53 Console to delete Record Sets and a Hosted Zone make it look simple. I started in the Route 53 Console clicking into a hosted zone, selecting each DNS record set (but not the NS or SOA ones), clicking delete, clicking confirm, going back a level, selecting the next domain, and so on. This got old quickly.
Being lazy, I decided to spend a lot more effort figuring out how to automate this process with the aws-cli, and pass the savings on to you.
Steps with aws-cli
Let’s start by putting the hosted zone domain name into an environment variable. Do not skip this step! Do make sure you have the right name! If this is not correct, you may end up wiping out DNS for a domain that you wanted to keep.
domain_to_delete=example.com
Install the jq json parsing command line tool. I couldn’t quite get
the normal aws-cli --query option to get me the output format I
wanted.
sudo apt-get install jq
Look up the hosted zone id for the domain. This assumes that you only have one hosted zone for the domain. (It is possible to have multiple, in which case I recommend using the Route 53 console to make sure you delete the right one.)
hosted_zone_id=$(
aws route53 list-hosted-zones \
--output text \
--query 'HostedZones[?Name==`'$domain_to_delete'.`].Id'
)
echo hosted_zone_id=$hosted_zone_id
Use list-resource-record-sets to find all of the current DNS entries
in the hosted zone, then delete each one with
change-resource-record-sets.
aws route53 list-resource-record-sets \
--hosted-zone-id $hosted_zone_id |
jq -c '.ResourceRecordSets[]' |
while read -r resourcerecordset; do
read -r name type <<<$(echo $(jq -r '.Name,.Type' <<<"$resourcerecordset"))
if [ $type != "NS" -a $type != "SOA" ]; then
aws route53 change-resource-record-sets \
--hosted-zone-id $hosted_zone_id \
--change-batch '{"Changes":[{"Action":"DELETE","ResourceRecordSet":
'"$resourcerecordset"'
}]}' \
--output text --query 'ChangeInfo.Id'
fi
done
Finally, delete the hosted zone itself:
aws route53 delete-hosted-zone \
--id $hosted_zone_id \
--output text --query 'ChangeInfo.Id'
As written, the above commands output the change ids. You can monitor the background progress using a command like:
change_id=...
aws route53 wait resource-record-sets-changed \
--id "$change_id"
GitHub repo
To make it easy to automate the destruction of your critical DNS resources, I’ve wrapped the above commands into a command line tool and tossed it into a GitHub repo here:
You are welcome to use as is, fork, add protections, rewrite with Boto3, and generally knock yourself out.
Alternative: CloudFormation
A colleague pointed out that a better way to manage all of this (in many situations) would be to simply toss my DNS records into a CloudFormation template for each domain. Benefits include:
-
Easy to store whole DNS definition in revision control with history tracking.
-
Single command creation of the hosted zone and all record sets.
-
Single command updating of all changed record sets, no matter what has changed since the last update.
-
Single command deletion of the hosted zone and all record sets (my current challenge).
This doesn’t work as well for hosted zones where different records are added, updated, and deleted by automated processes (e.g., instance startup), but for simple, static domain DNS, it sounds ideal.
How do you create, update, and delete DNS in Route 53 for your domains?