I received a conflicting DNS domain error while creating an interface VPC endpoint. How can I fix this?
Last updated: 2022-04-15
I'm creating a new interface Amazon Virtual Private Cloud (Amazon VPC) endpoint (AWS PrivateLink) for an AWS service, endpoint service, or approved AWS Marketplace service in my VPC. I received the following error message:
"private-dns-enabled cannot be set because there is already a conflicting DNS domain."
How can I troubleshoot this issue?
The following are common reasons for receiving a conflicting DNS domain error when creating an interface VPC endpoint:
- You already have an interface VPC endpoint for the same service in your VPC.
- Your VPC is already associated with a private hosted zone that covers the intended service name.
You already have an interface VPC endpoint for the same service in your VPC
If you turn on PrivateDNS when creating interface endpoints, then a private hosted zone is automatically created and associated with your VPC. AWS services and AWS Marketplace partner services have PrivateDNS turned on by default. So, creating a second interface VPC endpoint for the same service with PrivateDNS turned on causes the conflicting DNS domain error. To fix this, turn off the PrivateDNS option when creating the interface endpoint. Use endpoint-specific DNS hostnames for the second VPC interface endpoint for that service.
Note: For endpoint services, you see this error when turning on the PrivateDNS feature on the endpoints after they are created.
Your VPC is already associated with a private hosted zone that covers the intended service name
You can't create a new private hosted zone with the same namespace for a VPC that already has an existing private hosted zone attached to it. When you create an endpoint with PrivateDNS turned on, the creation of the interface endpoint fails. This is because the endpoint can't create a private hosted zone of the service name. To check if your VPC is associated with an existing private hosted zone, do one of the following:
- Navigate to your Amazon Route 53 console and check whether you already have a private hosted zone with the intended service name attached to your VPC. If your VPC is associated with an existing private hosted zone, then turn off the PrivateDNS option when creating the interface endpoint. Use endpoint-specific DNS hostnames of the interface endpoint to access it.
- For central hub architecture, an account in your organization might create a private hosted zone for the service name and attach it to your VPC. In this case, you don't see the private hosted zone in your Route 53 console because the owner is a different account. Use the list-hosted-zones-by-vpc API call to list all hosted zones that your VPC is part of, including hosted zones from other accounts. If your VPC is associated with a private hosted zone in a different account, do the following:
Confirm that the A, Alias, or CNAME record points to an active VPC interface endpoint.
Then, use the interface endpoint for the service if the routing is in place. If you can't use it, turn off the PrivateDNS option and create a new interface endpoint.
Note: Run nslookup or dig from the VPC to perform DNS resolution for the service name. Determine if the service name is resolving to private IPs or public IPs. If it's resolving to private IPs, then there is a private hosted zone for the service name attached to your VPC.