How do I troubleshoot issues with hosted zones in Route 53 that have the same domain names in different AWS accounts?

Last updated: 2021-05-20

How do I troubleshoot issues with hosted zones in Amazon Route 53 that have the same domain names in different AWS accounts?

Resolution

Public hosted zones with the same name in two accounts

You can create more than one hosted zone with the same name and add different records to each hosted zone. Route 53 assigns four name servers to every hosted zone, and the name servers are different for each hosted zone. When you update your registrar's name server records, be sure to use the Route 53 name servers for the appropriate hosted zone. You must use the hosted zone that contains the records that Route 53 should use when responding to queries for your domain. Route 53 won't return values for records in other hosted zones that have the same name.

For example:

In Account A, there's a hosted zone with the domain "101.example.com". Route 53 automatically assigned four name servers to the hosted zone:

  • ns-1701.awsdns-20.co.uk.
  • ns-487.awsdns-60.com.
  • ns-1410.awsdns-48.org.
  • ns-867.awsdns-44.net.

There's also a simple Type A record in Account A with the following details:

Record name Type Routing policy Differentiator Value/Route traffic to
test1.101.example.com A Simple - 8.8.8.8

In Account B, there's a hosted zone with the same domain name ("101.example.com"). Route 53 automatically assigned four name servers to the hosted zone:

  • ns-869.awsdns-44.net.
  • ns-1332.awsdns-38.org.
  • ns-61.awsdns-07.com.
  • ns-1707.awsdns-21.co.uk.

This hosted zone also contains a simple Type A record with following details:

Record name Type Routing policy Differentiator Value/Route traffic to
test2.101.example.com A Simple - 8.8.8.8

If the name servers for the domain (101.example.com) present in Account A are updated in Registrar while the name servers of the same domain (101.example.com) present in Account B are not added in Registrar, you get the following dig output:

  • Dig output for Account A: NOERROR
# dig test1.101.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test1.101.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38973
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test1.101.example.com.    IN   A

;; ANSWER SECTION:
test1.101.example.com. 300    IN   A      8.8.8.8
  • Dig output for Account B: NXDOMAIN
dig test2.101.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test2.101.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34489

Private hosted zones with the same name in two accounts

In Account A, consider a scenario where there's a private hosted zone ("example.com") in Account A associated with VPC-A. The private hosted zone contains a simple Type A record. In this scenario, the dig output of the resource record from an instance in VPC-A of Account A is NOERROR.

Record name Type Routing policy Differentiator Value/Route traffic to
example.com NS Simple -

ns-1536.awsdns-00.co.uk.

ns-0.awsdns-00.com.

ns-1024.awsdns-00.org.

ns-512.awsdns-00.net

example.com SOA Simple -

ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

test1.example.com A Simple - 1.1.1.1
  • Dig output for Account A: NOERROR
# dig test1.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test1.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45251
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test1.example.com.    IN   A

;; ANSWER SECTION:
test1.example.com.    60   IN   A   1.1.1.1

In Account B, there's another private hosted zone with the same name ("example.com") associated with VPC-B of Account B. This private hosted zone contains a simple Type A record. The dig output of the resource record from an instance in VPC-B of Account B is NOERROR.

Record name Type Routing policy Differentiator Value/Route traffic to
example.com NS Simple -

ns-1536.awsdns-00.co.uk.

ns-0.awsdns-00.com.

ns-1024.awsdns-00.org.

ns-512.awsdns-00.net.

example.com SOA Simple - ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
test2.example.com A Simple - 2.2.2.2
  • Dig output for Account B: NOERROR
# dig test2.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test2.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5377
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test2.example.com.    IN   A

;; ANSWER SECTION:
test2.example.com.    60   IN   A   2.2.2.2

Note: The name servers for private hosted zones in Route 53 are the same four name servers. Keep in mind that you can't associate the same VPC to two private hosted zones with the same name.


Did this article help?


Do you need billing or technical support?