Last updated: 21 Aug 2023

Domain Name System (DNS) records

GOV.UK is responsible for managing several DNS zones.

By default, zones are hosted by AWS (Route 53) and Google Cloud Platform (Cloud DNS). We use both for redundancy.

As of December 2022, there are 61 hosted zones. A list is retrievable from a terminal using:

gds aws govuk-production-poweruser -- aws route53 list-hosted-zones | grep Name

Some individual records within these zones are managed by other teams.

Records for GOV.UK systems

We use a few domains:

• alphagov.co.uk is the old domain name GOV.UK publishing used to live on. We maintain records which point to Bouncer so that these URLs redirect.
• publishing.service.gov.uk and govuk.service.gov.uk are where GOV.UK lives.

DNS for *.service.gov.uk domains

GOV.UK Technical 2nd Line are responsible for delegating DNS to other government services. Note that we do not manage any other DNS records: if you get a request concerning anything other than NS records, it should be rejected. See the SRE interruptible documentation for details.

When you’ve verified the authenticity of the request as per the SRE docs above, you should:

1. Ensure you have Terraform Cloud access
2. Commit your changes in govuk-dns-tf (see example)
3. Push your changes to GitHub and open a pull request
4. Terraform Cloud will automatically perform a plan. Open the govuk-dns-tf workspace to see it.
5. If you are happy with the results of the plan, merge your PR
6. From the PR page in GitHub, look under the pre-merge checks section and open the “details” link from the Terraform Cloud check.
7. Press “Confirm and apply” in Terraform Cloud.

DNS for govuk.digital and govuk-internal.digital

Currently these zones are only used in environments running on AWS.

These DNS zones are hosted in Route53 and managed by Terraform. Changes can be made in the govuk-aws and govuk-aws-data repositories. Ask the Platform teams if you need help making your changes.

DNS for the publishing.service.gov.uk domain

To make a change to this zone, begin by adding the records to the yaml file for the zone held in the DNS config repo.

The deployment process is the same as for service.gov.uk

DNS for the gov.uk top level domain

Jisc is a non-profit which provides networking to UK education and government. They host DNS for the gov.uk. zone.

Requests to modify the DNS records for gov.uk. should be sent by email to naming@ja.net from someone on Jisc’s approved contacts list. Speak to a member of Senior Tech or someone in the Platform teams if you need to make a change and don’t have access.

You should also make sure that the following groups of people are aware before requesting any changes:

• Technical 2nd Line (via email)
• GOV.UK’s Head of Tech and the senior tech team
• The CDDO domains team (#team-domains)

Technical 2nd Line should be notified of any planned changes via email.

• The domain name gov.uk. is an apex domain so it cannot have a CNAME record. Instead, it has A records that point directly to anycast virtual IP addresses (VIPs) for our CDN provider.
• www.gov.uk. is a CNAME to www-cdn.production.govuk.service.gov.uk., which means we do not need to make a request to Jisc if we want to change CDN providers. We can just change where the CNAME points to.

DNS for non-gov.uk domains

GOV.UK also manages DNS zones for some non-gov.uk domains (e.g. independent-inquiry.uk).

These should mostly be managed in Terraform: each domain should have its own zone configuration file in govuk-dns-tf.

If a non-GOV.UK domain is missing a configuration file, then it has not been migrated to Terraform yet (Platform Engineering have a card to migrate the remaining ones). These domains need updating manually in the AWS console as follows:

1. Login to the production AWS console.

   $ gds aws govuk-production-poweruser -l
   

2. Go to Route 53 > Hosted zones and select the zone for the domain you need to update.

   For example, if you’ve been asked to delegate example.independent-inquiry.uk you’ll need the independent-inquiry.uk zone.

3. Expand the ‘Hosted zone details’ and look for any useful comments in the description field.

   For example, the description will hopefully be something like:

   This zone is managed manually using the AWS console (i.e. click-ops). It’s not managed by Terraform.

   This is a clear indicator that it’s safe to update these records manually and they won’t be overwritten by Terraform.

   However if it’s something like this, then you shouldn’t update it manually (go back and find the zone config file in govuk-dns-tf):

   Managed by Terraform

4. Update the DNS records as required.

5. For bonus points: If the zone description wasn’t clear, but you’re certain it’s safe to be updated manually, then consider changing the description field so it’s clearer for the next person.

More in the Infrastructure section

Learn

• GOV.UK and Virtual Private Networks (VPNs)
• GOV.UK's environments (integration, staging, production)
• Load Testing
• Rate Limiting
• Rollback Puppet if Jenkins is broken
• Terraform Cloud
• Upgrade Terraform

How to...

• Add a new Ruby version
• Databases on GOV.UK
• Generate a Certificate Signing Request (CSR) for GOV.UK
• Manage AmazonMQ
• Manage RabbitMQ
• Manually resize EBSs (elastic block store)
• Move apps between servers
• Patch Jenkins
• Provision machines for data science research
• Reboot a machine
• Remove a machine
• Renew a TLS certificate for GOV.UK
• Reprovision a machine