How can I troubleshoot DNS resolution issues with my Route 53 private hosted zone?

Last updated: 2020-04-21

I created a private hosted zone for my domain in Amazon Route 53. However, the domain name resolution isn't working in my virtual private cloud (VPC). How can I troubleshoot this issue?

Resolution

First, use the dig or nslookup command to examine your configuration. If these commands return an error, or reveal settings that differ from what you intended, follow these troubleshooting steps:

  1. Confirm that the correct VPC ID is associated with the private hosted zone. Also, be sure that you're querying the domain from within the same VPC. You can use the get-hosted-zone command to get a list of VPCs associated with your hosted zone.
  2. Confirm that the DNS hostnames and DNS resolution parameters are enabled in your VPC. To do this, check your VPC settings.
  3. Check your VPC settings to see if you configured Custom DNS Servers. If you configured this setting, confirm that you set the servers to forward DNS queries for the private domain to the IP address of the Amazon-provided DNS servers of your VPC. For example, if the CIDR range for your VPC is 10.0.0.0/16, then the IP address of the VPC DNS server is 10.0.0.2 (the VPC network range plus two). 
    Note: Private hosted zones are resolvable only through the VPC DNS.
  4. Check for multiple private hosted zones with overlapping namespaces. If there are multiple zones with overlapping namespaces (such as example.com and test.example.com), then the Route 53 Resolver routes traffic to the hosted zone based on the most specific match. If there's a matching zone but no record that matches the domain name and type in the request, then Resolver doesn't forward the request to another zone or a public DNS resolver. Instead, Resolver returns NXDOMAIN (non-existent domain) to the client.
  5. Check if you have NS record configured for the subdomain in the private hosted zone of the parent domain.
    Note: In a private hosted zone, name server (NS) records aren't supported for delegating the responsibility for a subdomain.
  6. Confirm that you configured a routing policy that's supported by a private hosted zone. The supported routing policies are:
    Simple routing
    Multivalue answer routing
    Failover routing
    Weighted routing
  7. Check if you're using Resolver with an outbound endpoint. For more information, see Resolving DNS queries between VPCs and your network. If both of the following conditions are true, then the Resolver rule takes precedence:
    You have a Resolver rule to route traffic to your network for your private hosted zone's domain
    You have a Resolver rule associated to the same VPC that's also associated to the private hosted zone