<div dir="ltr">AWS or S3 is not the only service where you will see a single IP returned for a DNS query, <a href="http://www.microsoft.com">www.microsoft.com</a> and <a href="http://www.apple.com">www.apple.com</a> (via Akamai) do the same - see further below.<div><br></div><div>When you look up <bucketname>.<a href="http://s3.amazonaws.com">s3.amazonaws.com</a> you get back an answer that directs you to the correct region where the S3 bucket is located. For example <a href="http://test.s3.amazonaws.com">test.s3.amazonaws.com</a> points to <a href="http://s3-w.us-east-1.amazonaws.com">s3-w.us-east-1.amazonaws.com</a> because the bucket exists in the us-east-1 region.</div><div><br></div><div>The endpoints are listed at <a href="https://docs.aws.amazon.com/general/latest/gr/s3.html">https://docs.aws.amazon.com/general/latest/gr/s3.html</a> and the DNS format is described at <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteEndpoints.html">https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteEndpoints.html</a> .</div><div><br></div><div><br></div><div>$ dig <a href="http://www.microsoft.com">www.microsoft.com</a></div><div>...</div><div>;; ANSWER SECTION:<br><a href="http://www.microsoft.com">www.microsoft.com</a>. 1281 IN CNAME <a href="http://www.microsoft.com-c-3.edgekey.net">www.microsoft.com-c-3.edgekey.net</a>.<br><a href="http://www.microsoft.com-c-3.edgekey.net">www.microsoft.com-c-3.edgekey.net</a>. 664 IN CNAME <a href="http://www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net">www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net</a>.<br><a href="http://www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net">www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net</a>. 664 IN CNAME <a href="http://e13678.dscb.akamaiedge.net">e13678.dscb.akamaiedge.net</a>.<br><a href="http://e13678.dscb.akamaiedge.net">e13678.dscb.akamaiedge.net</a>. 19 IN A 23.40.73.65<br></div><div><br></div><div>$ dig <a href="http://www.apple.com">www.apple.com</a></div><div>...</div><div>;; ANSWER SECTION:<br><a href="http://www.apple.com">www.apple.com</a>. 368 IN CNAME <a href="http://www.apple.com.edgekey.net">www.apple.com.edgekey.net</a>.<br><a href="http://www.apple.com.edgekey.net">www.apple.com.edgekey.net</a>. 8138 IN CNAME <a href="http://www.apple.com.edgekey.net.globalredir.akadns.net">www.apple.com.edgekey.net.globalredir.akadns.net</a>.<br><a href="http://www.apple.com.edgekey.net.globalredir.akadns.net">www.apple.com.edgekey.net.globalredir.akadns.net</a>. 2168 IN CNAME <a href="http://e6858.dscx.akamaiedge.net">e6858.dscx.akamaiedge.net</a>.<br><a href="http://e6858.dscx.akamaiedge.net">e6858.dscx.akamaiedge.net</a>. 14 IN A 23.1.23.66<br></div><div><br></div><div><br></div><div>Disclaimer: I work for AWS.</div><div><br></div><div>Regards,</div><div>Andras</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jun 16, 2021 at 2:40 AM Deepak Jain <<a href="mailto:deepak@ai.net">deepak@ai.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
<br>
I've just taken a squiz at an S3-based website we have, and via the S3 URL it is a CNAME with a 60-secod TTL pointing at a set of A records with 5-second TTLs.<br>
<br>
Any one dig returns the CNAME and a single IP address:<br>
<br>
dig <a href="http://our-domain.s3-website-ap-southeast-2.amazonaws.com" rel="noreferrer" target="_blank">our-domain.s3-website-ap-southeast-2.amazonaws.com</a>.<br>
<a href="http://our-domain.s3-website-ap-southeast-2.amazonaws.com" rel="noreferrer" target="_blank">our-domain.s3-website-ap-southeast-2.amazonaws.com</a>. 14 IN CNAME s3-<br>
<a href="http://website-ap-southeast-2.amazonaws.com" rel="noreferrer" target="_blank">website-ap-southeast-2.amazonaws.com</a>.<br>
<a href="http://s3-website-ap-southeast-2.amazonaws.com" rel="noreferrer" target="_blank">s3-website-ap-southeast-2.amazonaws.com</a>. 5 IN A 52.95.134.145<br>
<br>
If the query is multiply repeated, the returned IP address changes, roughly every five seconds.<br>
<br>
What's interesting is the name attached to the A records, which does not include "our-domain". It seems to be a record pointing to ALL S3 websites in the region. And all of the addresses I saw reverse-resolve to that one name. So there is definitely some under-the-bonnet magic discrimination going on.<br>
<br>
In Route53 the picture is very different, with the published website host name (think "<a href="http://our-domain.com.au" rel="noreferrer" target="_blank">our-domain.com.au</a>") resolving to four IP addresses that are all returned in the response to a single dig query. There is an A-ALIAS (a non-standard AWS record type) that points to a CloudFront distribution that has the relevant S3 bucket as its origin.<br>
<br>
Using the CNAME bypasses the CloudFront distribution unless steps are taken to forbid direct access to the bucket. It would be usual to use (and enforce) access via CloudFront, if for no other reason than to provide for HTTPS access. <br>
<br>
---<br>
<br>
So, depending on what query you make... you get very different answers. For example. If you try <a href="http://s3.amazon.com" rel="noreferrer" target="_blank">s3.amazon.com</a> you get a CNAME to a <a href="http://rewrite.amazon.com" rel="noreferrer" target="_blank">rewrite.amazon.com</a> which seems reasonable for any subdomain request that they would have a better response for. <br>
<br>
I don't remember, and they may be moving to deterministic subdomains as you've shown above, and only "legacy" uses go to <a href="http://s3.amazonaws.com" rel="noreferrer" target="_blank">s3.amazonaws.com</a>. I remember hearing a big uproar about it. Perhaps an AWS person will chime in with some color on this.<br>
<br>
So deterministic subdomain to a group of relatively deterministic endpoints, even round-robin, makes sense to me as in... "usual in the practice of the art." Even if those systems end up being load balancers for other systems behind them.<br>
<br>
The <a href="http://s3.amazonaws.com" rel="noreferrer" target="_blank">s3.amazonaws.com</a> is different than that. I'm guessing that no one (else) uses this sort of single IP from a pool trick and therefore it's not standard. Further, given that AWS appears to be moving *back* to the traditional way of doing things, there must be undesirable limitations to this model.<br>
<br>
[just spitballing here]<br>
<br>
Deepak<br>
</blockquote></div>