Why isn't the alias record pointing to my CloudFront distribution resolving?

Last updated: 2021-05-20

I've configured an alias record pointing to my Amazon CloudFront distribution in an Amazon Route 53 public hosted zone. However, I can't resolve the record over the internet. How do I troubleshoot this issue?

Short description

Clients might be unable to resolve the alias record pointing to a CloudFront distribution if:

  • The alias record corresponding to the CloudFront distribution is misconfigured
  • The alias record wasn't created in the authoritative hosted zone for the domain
  • The status of the domain is inactive, serverHold, or clientHold
  • A health check associated with the alias record is unhealthy
  • Record has not been propagated globally
  • Wrong DS records when DNSSEC is enabled for the domain

Resolution

Check the alias record type

If the alias record is misconfigured, then the DNS record won't resolve as expected. CloudFront alias record types must be configured as Type A (rather than CNAME).

To confirm the Route 53 alias record type:

1.    Open the Route 53 console.

2.    In the navigation pane, choose Hosted Zones.

3.    Select the hosted zone for your domain.

4.    Choose the Route 53 alias record for your domain.

5.    In the Edit Record Set pane, confirm that the Record type for the Alias record is set to A. If not, update the record.

6.    Choose Save Record Set.

Check the domain name servers configured at the registrar

When you create a hosted zone for your domain, Route 53 assigns a set of four name servers to the hosted zone. The hosted zone is used for your domain resolution only if its name servers are specified at the domain’s registrar.

Confirm if your registrar returns the same four authoritative name servers as those assigned to the hosted zone where you created the alias record. To check the name servers configured on the registrar, perform a whois lookup on your domain using the following command:

$ whois domain-name |grep 'Name Server'

Review the name servers assigned to your hosted zone. If the name servers don't match the whois lookup results, then your hosted zone isn't being used for domain resolution. You must update the name servers at the domain registrar. If the domain is registered with Route 53, then see Adding or changing name servers and glue records for a domain. If the domain is registered with a third party, then refer to their documentation for steps on how to update the name servers.

Check the domain status

If the domain status is inactive, ServerHold, or clientHold, then the domain won't resolve. You can check the status of the domain using the whois lookup command:

$ whois domain-name |grep 'Domain Status'

Check for health checks associated with the alias record

If there's a health check associated with the alias record, then check the status of the health check. The value returned during the DNS lookup depends on the routing policies and health check configuration of the record.

Check the record propagation

Route 53 propagates updates you make to your DNS records to its global network of authoritative DNS servers within 60 seconds under normal conditions. However, caching DNS resolvers is beyond the scope of the Route 53 service, so it caches your resource record sets according to their TTL value.

The local resolver caches the previous record value for the duration of the configured TTL. In some cases, there might be negative caching where NXDOMAIN results from authoritative name servers are cached by the resolvers. To determine if this type of negative caching is an issue in your scenario, send a query directly to the name server assigned to the hosted zone for your domain to see if you're getting a response. For example:

$ dig domain-name @ns-2041.awsdns-63.co.uk

(If DNSSEC is enabled) Check the DS records

A Delegation Signer (DS) record establishes a chain of trust between the parent and child hosted zones when DNSSEC is enabled. This record contains a digest of the public key-signing keys (KSKs) used to sign a DNS zone's zone-signing key (ZSK) and the signing algorithm type. The DS record must be added to the parent zone of a delegation. The DS record is authoritative data in the parent zone.

For example, the DS record for "example.com" is stored in the ".com" zone (the parent zone) rather than the "example.com" zone (child zone). You can create a DS record by providing the public KSK and the signing algorithm type to your domain registrar. The domain registrar forwards the public KSK and the algorithm type to the registry for the top-level domain.


Did this article help?


Do you need billing or technical support?