By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How can I troubleshoot Route 53 private hosted zone DNS resolution issues?

4 minute read
0

I created a private hosted zone for my domain in Amazon Route 53. However, DNS isn't working in my virtual private cloud (VPC).

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

  1. Confirm that the correct VPC ID is associated with the private hosted zone. Use the AWS CLI command get-hosted-zone to get a list of VPCs associated with your hosted zone. Or, use list-hosted-zone-by-vpc to get a list of private hosted zones associated with a specific VPC.
    Note: Make sure that you're querying the domain from within the same VPC.

  2. Confirm that the DNS hostnames and DNSSupport parameters are set to true in your VPC. To do this, check your VPC settings.

  3. Check the VPC settings to validate that you configured custom DNS servers in the DHCP option set. If configured, confirm that the DNS servers are set to forward DNS queries for the private domain to the Amazon-provided DNS servers of your VPC. For example, if the CIDR range for your VPC is 10.0.0.0/16, then the IP address of the VPC DNS server is 10.0.0.2. The IP address is the VPC network range plus two.
    Note: Private hosted zones are resolvable only through the VPC DNS.

  4. Review the resolver configuration settings of your source instance.

    • For Linux instances, use the cat /etc/resolv.conf and cat/etc/hosts files.
    • For macOS, see Change DNS Settings on Mac in the macOS user guide.
    • For Windows, complete the following steps:
      Choose Start, Network & Internet Settings.
      Choose Change adaptor options under Advanced network settings.
      Right-click on the network connection, and then choose Properties.
      Choose IPv4 properties, and then enter the preferred DNS IP address in DNS server addresses.

    Example: You configure the Rotate option in resolv.conf to load balance DNS queries between an Amazon-provided DNS server and a public name server. This configuration causes intermittent DNS resolution. Queries that reach the VPC DNS resolver associated with your private hosted zone are resolved. Queries routed to the public name server fail.

  5. Check for multiple private hosted zones with overlapping namespaces such as example.com and test.example.com. If there are overlapping namespaces, then the Resolver routes traffic to the hosted zone based on the most specific match. If there's a matching zone but no record that matches the domain name and type, then Resolver returns NXDOMAIN (non-existent domain) to the client. The Resolver doesn't forward the request to another zone or public DNS resolver in this case. Confirm that the correct record is configured in the most specific private hosted zone for successful DNS resolution.

  6. Confirm that you don't have an NS record configured for the subdomain in the private hosted zone of the parent domain.
    Note: In a private hosted zone, name server (NS) records aren't supported for delegating the responsibility for a subdomain.

  7. Confirm that you configured a routing policy that's supported by a private hosted zone. The supported routing policies are:

    • Simple routing
    • Failover routing
    • Multivalue answer routing
    • Weighted routing
    • Latency-based routing
    • Geolocation routing

  8. Check that you're using Resolver with an outbound endpoint. If both of the following conditions are true, then the Resolver rule takes precedence:

    • You have a Resolver rule to route traffic to your network for your private hosted zone's domain.
    • You have a Resolver rule associated to the same VPC that's also associated to the private hosted zone.

    For more information, see Resolving DNS queries between VPCs and your network.

  9. Confirm that the Resolver rule and inbound endpoint of the VPC aren't causing a query loop. You create a loop if you do following:

    • Create target IP addresses in a Resolver forwarding rule point to inbound endpoints of a VPC.
    • Associate the endpoints with the private hosted zone and,
    • Associate the same resolver rule with the VPC.

  10. Confirm that the on-premises resolver sends a recursive request. Verify the resolution type using a packet capture on the DNS resolver (on-premises). Then, review the DNS flags (recursion desired = 0). You can also test the resolution by sending an iterative request using +norecurse with the dig command, or set "norecurse" with nslookup.

  11. Confirm that you configured the correct rule priorities for the Amazon-provided DNS. In general, the most specific rule takes priority. If the rules are at the same level, the priority is resolver rule, private hosted zone rule, and internal rule, respectively.

Related information

Working with private hosted zones

Which Amazon VPC options do I need to activate to use my private hosted zone?

Topics
Networking & Content Delivery
Tags
Amazon Route 53
Language
English

Related videos

Watch Anshika's video to learn more (4:44)
Watch Anshika's video to learn more (4:44)
AWS OFFICIAL
AWS OFFICIALUpdated a year ago
No comments

Relevant content