How can I troubleshoot Route 53 private hosted zone DNS resolution issues?
Last updated: 2022-05-12
I created a private hosted zone for my domain in Amazon Route 53. However, DNS isn't working in my virtual private cloud (VPC). How can I troubleshoot this issue?
Follow these troubleshooting steps:
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
- Confirm that the correct VPC ID is associated with the private hosted zone. You can use the AWS CLI command get-hosted-zone to get a list of VPCs associated with your hosted zone.
Note: Make sure that you're querying the domain from within the same VPC.
- Confirm that the DNS hostnames and DNS resolution parameters are turned on in your VPC. To do this, check your VPC settings.
- Check the VPC settings to validate that you configured custom DNS servers. If you configured this setting, confirm that you set the servers to forward DNS queries.
Note: The servers must forward DNS queries for the private domain to the IP address of the Amazon-provided DNS servers of your VPC.
- If you configured custom DNS servers, then confirm that you set the servers to forward DNS queries. The servers must forward DNS queries for the private domain to the IP address of the Amazon-provided DNS servers of your VPC. For example, if the CIDR range for your VPC is 10.0.0.0/16, then the IP address of the VPC DNS server is 10.0.0.2. The IP address is the VPC network range plus two.
Note: Private hosted zones are resolvable only through the VPC DNS.
- Check for multiple private hosted zones with overlapping namespaces such as example.com and test.example.com. If there are overlapping namespaces, then the Route 53 Resolver routes traffic to the hosted zone based on the most specific match. If there is a matching zone, make sure that the record matches the domain name and type of request. If there isn't a matching zone, then Resolver doesn't forward the request to another zone or a public DNS resolver. Instead, Resolver returns NXDOMAIN (non-existent domain) to the client.
- Confirm that you have NS record configured for the subdomain in the private hosted zone of the parent domain.
Note: In a private hosted zone, name server (NS) records aren't supported for delegating the responsibility for a subdomain.
- Confirm that you configured a routing policy that's supported by a private hosted zone. The supported routing policies are:
Multivalue answer routing
- Check if you're using Resolver with an outbound endpoint. If both of the following conditions are true, then the Resolver rule takes precedence:
You have a Resolver rule to route traffic to your network for your private hosted zone's domain
You have a Resolver rule associated to the same VPC that's also associated to the private hosted zone
For more information, see Resolving DNS queries between VPCs and your network.
- Check the DNS resolver configured for the EC2 instance. For Linux instances, use the cat /etc/resolv.conf and cat /etc/hosts files. For Windows and macOS, see How to change your DNS server on Windows 10 and Mac.