Last updated: 31 May 2023

Domain Name System (DNS) records

GOV.UK is responsible for managing several DNS zones.

By default, zones are hosted by AWS (Route 53) and Google Cloud Platform (Cloud DNS). We use both for redundancy.

As of December 2022, there are 61 hosted zones. A list is retrievable from a terminal using:

gds aws govuk-production-poweruser -- aws route53 list-hosted-zones | grep Name

Some individual records within these zones are managed by other teams.

Records for GOV.UK systems

We use a few domains:

• alphagov.co.uk is the old domain name GOV.UK publishing used to live on. We maintain records which point to Bouncer so that these URLs redirect.
• publishing.service.gov.uk and govuk.service.gov.uk are where GOV.UK lives.

DNS for *.service.gov.uk domains

GOV.UK Technical 2nd Line are responsible for delegating DNS to other government services. Note that we do not manage any other DNS records: if you get a request concerning anything other than NS records, it should be rejected. See the SRE interruptible documentation for details.

When you’ve verified the authenticity of the request as per the SRE docs above, you should:

1. Ensure you have Terraform Cloud access
2. Commit your changes in govuk-dns-tf (see example)
3. Push your changes to GitHub and open a pull request
4. Terraform Cloud will automatically perform a plan
5. If you are happy with the results of the plan, merge your PR
6. Terraform Cloud will automatically apply your changes when they are merged to main

DNS for govuk.digital and govuk-internal.digital

Currently these zones are only used in environments running on AWS.

These DNS zones are hosted in Route53 and managed by Terraform. Changes can be made in the govuk-aws and govuk-aws-data repositories. While GOV.UK migrates to AWS speak with GOV.UK Platform Engineering for support making your changes.

DNS for the publishing.service.gov.uk domain

To make a change to this zone, begin by adding the records to the yaml file for the zone held in the DNS config repo.

The deployment process is the same as for service.gov.uk

DNS for the gov.uk top level domain

Jisc is a non-profit which provides networking to UK education and government. They control the gov.uk. top-level domain.

Requests to modify the DNS records for gov.uk. should be sent by email to naming@ja.net from someone on Jisc’s approved contacts list. Speak to a member of the senior tech team or someone in GOV.UK Platform Engineering if you need to make a change and don’t have access.

You should also make sure that the following groups of people are aware before requesting any changes:

• Technical 2nd Line (via email)
• GOV.UK’s Head of Tech and the senior tech team
• The CDDO domains team (the senior tech team can contact them)

Technical 2nd Line should be notified of any planned changes via email.

• gov.uk. is a top-level domain so it cannot contain a CNAME record (see RFC 1912 section 2.4). Instead, it contains A records that point to anycast IP addresses for our CDN provider.
• www.gov.uk. is a CNAME to www-cdn.production.govuk.service.gov.uk., which means we do not need to make a request to Jisc if we want to change CDN providers. Just change where the CNAME points to.

DNS for non-gov.uk domains

GOV.UK also manages DNS zones for some non-gov.uk domains.

These include (but are not limited to):

• independent-commission.uk
• independent-inquiry.uk
• public-inquiry.uk
• royal-commission.uk

Some of these are not managed by Terraform. If you can’t find a configuration file for the zone in govuk-dns-tf, then you’ll need to update it manually in the AWS console.

1. Login to the production AWS console.

   $ gds aws govuk-production-poweruser -l
   

2. Go to Route 53 > Hosted zones and select the zone for the domain you need to update.

   For example, if you’ve been asked to delegate example.independent-inquiry.uk you’ll need the independent-inquiry.uk zone.

3. Expand the ‘Hosted zone details’ and look for any useful comments in the description field.

   For example, the description will hopefully be something like:

   This zone is managed manually using the AWS console (i.e. click-ops). It’s not managed by Terraform.

   This is a clear indicator that it’s safe to update these records manually and they won’t be overwritten by Terraform.

   However if it’s something like this, then you shouldn’t update it manually:

   Managed by Terraform

4. Update the DNS records as required.

5. For bonus points: If the zone description wasn’t clear, but you’re certain it’s safe to be updated manually, then consider changing the description field so it’s clearer for the next person.

Getting Terraform Cloud access

If you’re a member of 2nd-line, Platform Engineering or Platform Security and Reliability, you should automatically be able to log into Terraform Cloud using your digital.cabinet-office.gov.uk Google account.

If you’re having trouble logging into Terraform Cloud then Platform Engineering team or an owner of the GOV.UK_Terraform_Cloud_Access group will be able to help you.

More in the Infrastructure section

Learn

• EKS/Kubernetes infrastructure
• GOV.UK and Virtual Private Networks (VPNs)
• GOV.UK's environments (integration, staging, production)
• Load Testing
• New instances fail to provision
• Rate Limiting
• Rollback Puppet if Jenkins is broken
• Upgrade Terraform

How to...

• Add a new Ruby version
• Databases on GOV.UK
• Generate a Certificate Signing Request (CSR) for GOV.UK
• Manage AmazonMQ
• Manage RabbitMQ
• Manually resize ASGs (auto scaling groups)
• Manually resize EBSs (elastic block store)
• Move apps between servers
• Patch Jenkins
• Provision machines for data science research
• Reboot a machine
• Remove a machine
• Renew a TLS certificate for GOV.UK
• Reprovision a machine
• Unable to SSH into a machine