How do I troubleshoot issues with DNS record resolution for my public hosted zone in Route 53?

Last updated: 2021-04-19

How do I troubleshoot issues with DNS record resolution for my public hosted zone in Amazon Route 53?

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Check for domain status issues

1.    Use the following command to check the domain status:

whois domain_name |grep 'status'

If the domain status (Extensible Provisioning Protocol code) is "inactive" or "ServerHold", the domain won't resolve.

2.    If your domain status is "inactive" or "ServerHold", then contact the domain registrar to help you fix the domain status.

Use the following command to determine the domain registrar:

whois domain_name |grep 'Registrar'

Query your preferred Whois utility (domain registration lookup tool) for generic or country-specify top-level domains (TLDs).

Check for name server issues

Confirm that the authoritative name server is correctly configured at your domain registrar. To find the authoritative name servers, check the value in the name server (NS) resource record set of the Route 53 public hosted zone.

Use the following command to check the name server configuration at your registrar:

whois domain_name |grep 'Name Server'

For example, the output for whois example.com |grep 'Name Server' is:

Name Server: NS-1125.AWSDNS-12.ORG
Name Server: NS-1774.AWSDNS-29.CO.UK
Name Server: NS-272.AWSDNS-34.COM
Name Server: NS-985.AWSDNS-59.NET

If the name servers in your public hosted zone and the whois output don't match, see Adding or changing name servers or glue records.

Check for record set issues

Use the following command to check whether you created the required DNS record in the hosted zone in Route 53:

dig Domain_name record_type

For example, the output of $dig amazon.com A is:

; <<>> DiG 9.10.6 <<>> amazon.com +question
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29804
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;amazon.com.            IN    A
;; ANSWER SECTION:
amazon.com.        44    IN    A    54.239.28.85
amazon.com.        44    IN    A    205.251.242.103
amazon.com.        44    IN    A    176.32.103.205
;; Query time: 4 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Mar 19 20:28:51 IST 2021
;; MSG SIZE  rcvd: 87

Note: The record type is listed in the Type column of the corresponding resource record set. For more information, see Supported DNS record types.

Check for source issues

For local browsers or mobile devices:

  • Clear your browser cache and then try to access the domain.
  • Check whether you're requesting the correct domain. Mobile device browsers might append "www" when requesting the domain.

For an on-premises machine connected to an Amazon Virtual Private Cloud (Amazon VPC) or AWS resource using VPC .2 Resolver:

If you have private and public hosted zones with overlapping namespaces, such as "example.com" and "accounting.example.com", then Resolver routes traffic based on the most specific match. If there's a matching private hosted zone but no record that matches the domain name and type in the request, then Resolver doesn't forward the request to a public DNS resolver. Instead, it returns an NXDOMAIN (non-existent domain) error to the client. If you unintentionally created a private hosted zone with overlapping namespaces, you can delete the private hosted zone.

Check for record caching issues

1.    Use the following command to check if the record value returned from the DNS resolver matches the value returned from the authoritative name server. If the domain isn't resolving to the expected IP address, the DNS resolver might have cached the value. Clear browser cache if the domain is resolving to an unexpected IP address.

dig domain_name record_type @authorative_name_server

For example, the output for $dig amazon.com @NS-1125.AWSDNS-12.ORG is:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.64.amzn1 <<>> amazon.com @NS-1125.AWSDNS-12.ORG

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63711
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;amazon.com.            IN    A

;; ANSWER SECTION:
amazon.com.        60    IN    A    205.251.242.103
amazon.com.        60    IN    A    54.239.28.85
amazon.com.        60    IN    A    176.32.103.205

;; Query time: 2 msec
;; SERVER: 208.78.70.31#53(208.78.70.31)
;; WHEN: Fri Mar 19 15:08:52 2021
;; MSG SIZE  rcvd: 76

2.    Use the following command to check if you're seeing the same results with the public resolver. If the public resolver is returning the expected answer, the issue is likely with the DNS resolver on the local machine.

dig domain @public_resolver_Ip

For example, the output for $dig amazon.com @1.1.1.1 is:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.64.amzn1 <<>> amazon.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26860
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;amazon.com.            IN    A

;; ANSWER SECTION:
amazon.com.        15    IN    A    205.251.242.103
amazon.com.        15    IN    A    54.239.28.85
amazon.com.        15    IN    A    176.32.103.205

;; Query time: 1 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Mar 19 15:09:41 2021
;; MSG SIZE  rcvd: 76

Check for DNSSEC issues

Confirm that you've correctly configured DNSSEC for your domain. Use the DNSSEC analyzer tool or your preferred utility to see if there are DNSSEC issues with the domain.

Bypass the DNSSEC and see whether you're getting expected results:

dig domain_name +cd

For example, the output for $ dig amazon.com +cd is:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.64.amzn1 <<>> amazon.com +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55636
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;amazon.com.            IN    A

;; ANSWER SECTION:
amazon.com.        29    IN    A    205.251.242.103
amazon.com.        29    IN    A    176.32.103.205
amazon.com.        29    IN    A    54.239.28.85

;; Query time: 2 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Mar 19 15:10:13 2021
;; MSG SIZE  rcvd: 76

Did this article help?


Do you need billing or technical support?