How does DNS work, and how do I troubleshoot partial DNS failures?

AWS customers use domain names to connect to AWS resources, which are resolved using the Domain Name System (DNS). DNS, introduced in RFC 1034, is used to route users to Internet applications by translating easy-to-remember names (for example, www.example.com) into numeric IP addresses like 192.0.2.1, in a process called “DNS resolution.” An authoritative name server resolves a domain name to an IP address and passes the IP address through the chain of DNS resolvers to the client (for example, the computer of someone requesting to view a website). The client then uses that IP address to connect to the server where the website is hosted, and the server provides the website to the client.When DNS isn’t functioning correctly, DNS servers can’t resolve domain names, and therefore can’t provide clients the IP address of the server the website is hosted on; this means those websites can no longer be accessed from the Internet. AWS takes precautions to ensure that AWS domain names are resolvable at all times by using Amazon Route 53 as well as third-party service providers.

DNS is a large distributed hierarchical database, meaning that each domain is required to have a set of authoritative name servers answering questions about resource records for the domain. This set of authoritative name servers is under the control of the domain owner, though most domain owners delegate to a proxy to provide DNS service.

When a client needs to resolve the IP address of a domain name, the client machine hands off this process to a resolver, which finds the IP address and return it to the client. This process works as follows:

  1. The resolver, which is preconfigured with a list of root name servers, randomly selects one of these root name servers and asks it for a list of authoritative name servers for the top-level domain (TLD).
  2. The root name server responds with a list of authoritative name servers for the TLD, as well as their IP addresses.
  3. The resolver randomly selects one of the name servers returned in step 2 and asks it for a list of authoritative name servers for the domain.
  4. The TLD server responds with a list of name servers that are authoritative for the domain.
  5. The resolver randomly selects one, and requests the IP address of the resource record from that authoritative name server.

DNS providers serve from multiple geographies, and usually rely on cached results to improve availability; this can help to avoid temporary issues with DNS resolvers, but might also prolong recovery if bad results are cached (for example, due to negative caching). We ensure external DNS issues don't affect DNS resolution of AWS domain names within an EC2 region.

A typical DNS failure is when one or more authoritative name servers stop responding. Consider a hypothetical domain with the following list of authoritative name servers (also known as a delegation set):

  • ns-576.awsdns-08.net.
  • ns-1086.awsdns-07.org.
  • ns-1630.awsdns-11.co.uk.
  • ns-47.awsdns-05.com.
  • pdns1.ultradns.net.
  • pdns6.ultradns.co.uk.

If a name server is unavailable, it can’t respond to a DNS query that is directed to it; if the client doesn’t receive an answer, it can try the request with a different authoritative name server. If authoritative name servers do not respond or respond with unexpected information, the local resolver returns a SERVFAIL message.

To troubleshoot DNS failures using Linux-type operating systems, use the dig command. dig performs a lookup against the client DNS server that is configured in the /etc/resolv.conf file of your host.

$ dig www.amazon.com

 

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.49.amzn1 <<>> www.amazon.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13150

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

 

;; QUESTION SECTION:

;www.amazon.com.    IN    A

 

;; ANSWER SECTION:

www.amazon.com.        41    IN    A    54.239.17.6

 

;; Query time: 1 msec

;; SERVER: 10.108.0.2#53(10.108.0.2)

;; WHEN: Fri Oct 21 21:43:11 2016

;; MSG SIZE rcvd: 48

In the preceding example, the answer section shows that 54.239.17.6 is the IP address of the HTTP server for www.amazon.com.

If you add the +trace variable, dig can also perform a recursive lookup of a DNS record:

$ dig +trace www.amazon.com

 

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.49.amzn1 <<>> +trace www.amazon.com

;; global options: +cmd

.        518400    IN    NS    J.ROOT-SERVERS.NET.

.        518400    IN    NS    K.ROOT-SERVERS.NET.

.        518400    IN    NS    L.ROOT-SERVERS.NET.

;; Received 508 bytes from 10.108.0.2#53(10.108.0.2) in 31 ms

 

com.        172800    IN    NS    a.gtld-servers.net.

com.        172800    IN    NS    b.gtld-servers.net.

com.        172800    IN    NS    c.gtld-servers.net.

;; Received 492 bytes from 193.0.14.129#53(193.0.14.129) in 93 ms

 

amazon.com.        172800    IN    NS    pdns1.ultradns.net.

amazon.com.        172800    IN    NS    pdns6.ultradns.co.uk.

;; Received 289 bytes from 192.33.14.30#53(192.33.14.30) in 201 ms

 

www.amazon.com.    900    IN    NS    ns-1019.awsdns-63.net.

www.amazon.com.    900    IN    NS    ns-1568.awsdns-04.co.uk.

www.amazon.com.    900    IN    NS    ns-277.awsdns-34.com.

;; Received 170 bytes from 204.74.108.1#53(204.74.108.1) in 87 ms

 

www.amazon.com.    60     IN    A    54.239.26.128

www.amazon.com.    1800   IN    NS   ns-1019.awsdns-63.net.

www.amazon.com.    1800   IN    NS   ns-1178.awsdns-19.org.

;; Received 186 bytes from 205.251.195.251#53(205.251.195.251) in 7 ms

You can also perform a query that returns only the name servers:

$ dig -t NS www.amazon.com

 

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.49.amzn1 <<>> -t NS www.amazon.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48631

;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

 

;; QUESTION SECTION:

;www.amazon.com.        IN    NS

 

;; ANSWER SECTION:

www.amazon.com.        490    IN    NS    ns-1019.awsdns-63.net.

www.amazon.com.        490    IN    NS    ns-1178.awsdns-19.org.

www.amazon.com.        490    IN    NS    ns-1568.awsdns-04.co.uk.

www.amazon.com.        490    IN    NS    ns-277.awsdns-34.com.

 

;; Query time: 0 msec

;; SERVER: 10.108.0.2#53(10.108.0.2)

;; WHEN: Fri Oct 21 21:48:20 2016

;; MSG SIZE rcvd: 170

In this example, www.amazon.com has the following 4 authoritative name servers:

  • ns-1019.awsdns-63.net.
  • ns-1178.awsdns-19.org.
  • ns-1568.awsdns-04.co.uk.
  • ns-277.awsdns-34.com.

Any of these servers should be able to authoritatively answer questions about the www.amazon.com host name. dig can be used to directly target a specific name-server check to see if every authoritative name server for a given domain answers correctly.

The following is the output for a query to www.amazon.com to one of its authoritative name servers (ns-1019.awsdns-63.net); it responds telling us that www.amazon.com is available on 54.239.25.192:

$ dig www.amazon.com @ns-1019.awsdns-63.net.

 

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.49.amzn1 <<>> www.amazon.com @ns-1019.awsdns-63.net.

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31712

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; WARNING: recursion requested but not available

 

;; QUESTION SECTION:

;www.amazon.com.    IN    A

 

;; ANSWER SECTION:

www.amazon.com.        60    IN    A    54.239.25.192

 

;; AUTHORITY SECTION:

www.amazon.com.        1800    IN    NS    ns-1019.awsdns-63.net.

www.amazon.com.        1800    IN    NS    ns-1178.awsdns-19.org.

www.amazon.com.        1800    IN    NS    ns-1568.awsdns-04.co.uk.

 

;; Query time: 7 msec

;; SERVER: 205.251.195.251#53(205.251.195.251)

;; WHEN: Fri Oct 21 21:50:00 2016

;; MSG SIZE rcvd: 186

The following line shows that ns-576.awsdns-08.net is an authoritative name server for amazon.com:

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

The presence of the aa flag indicates that the name server ns-1019.awsdns-63.net gave us an authoritative answer for the resource record www.amazon.com.

On Windows-based operating systems, use the nslookup utility. nslookup returns the IP address associated with a host name, as in the following example:

C:\>nslookup www.amazon.com

Server:     ip-10-20-0-2.ec2.internal

Address:    10.20.0.2

 

Non-authoritative answer:

Name:       www.amazon.com

Address:    54.239.25.192

To determine the authoritative name servers for a host name using the nslookup utility, use the -type=NS flag:

C:\>nslookup -type=NS www.amazon.com

Server:     ip-10-20-0-2.ec2.internal

Address:    10.20.0.2

 

Non-authoritative answer:

www.amazon.com    nameserver = ns-277.awsdns-34.com

www.amazon.com    nameserver = ns-1019.awsdns-63.net

www.amazon.com    nameserver = ns-1178.awsdns-19.org

To see if ns-277.awsdns-34.com for www.amazon.com responds correctly to a request for www.amazon.com, use the following syntax:

C:\>nslookup www.amazon.com ns-277.awsdns-34.com

Server:     UnKnown

Address:    205.251.193.21

 

Name:       www.amazon.com

Address:    54.239.25.200

Amazon Route 53, VPC, DNS


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-12-05