- Newest
- Most votes
- Most comments
Hi,
please look at link https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-routing-traffic-for-subdomains.html
you're facing DNS resolution issues for the sub-subdomain staging.inter.example.com when trying to resolve the A/AAAA records from the public hosted zone of inter.example.com in the Prod account.
few steps you can take to resolve the issue
Check DNS Configuration:
Verify that the NS records for staging.inter.example.com are correctly set in the public hosted zone of inter.example.com in the Prod account. Ensure that the NS records point to the correct name servers in the public hosted zone of staging.inter.example.com in the Staging account.
Check Private Hosted Zone Configuration:
Make sure that the A/AAAA records for staging.inter.example.com are correctly configured in the private hosted zone in the Staging account. Double-check the IP addresses associated with these records to ensure they are correct.
Verify Permissions:
Ensure that the necessary permissions are set up to allow the Prod account to query the private hosted zone in the Staging account.
Hello.
I added the NS of staging.inter.example.com in the public hosted zone of the inter.example.com in prod account and the A/AAAA records DNS is not resolving.
Can NS records be used for name resolution using the "dig" command?
dig staging.inter.example.com ns
Also, since there is a possibility that the domain propagation is delayed, I think it would be a good idea to check "staging.inter.example.com" on the following site.
https://www.whatsmydns.net/
By the way, have you successfully created the NS record for "staging.inter.example.com" for "inter.example.com"?
Please check whether you have registered the wrong NS record.
- I added the NS of staging.inter.example.com in the public hosted zone of the inter.example.com in prod account and the A/AAAA records DNS is not resolving.
Note: The A/AAAA records are in private hosted zone
It sounds like you're jumping from public hosted zone of inter.example.com to private hosted zone of staging.inter.example.com. I don't think this will work, since private hosted zones are for DNS resolution within a VPC only, whereas public hosted zones are resolvable by all hosts on the internet.
You need two parallel hierarchies https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-considerations.html#hosted-zone-private-considerations-split-view-dns
inter.example.com public zones NS records need to be in example.com private hosted zone, and inter.example.com private zone NS records need to be in example.com private hosted zone. And the same for the next level down (staging.inter.example.com NS records in the appropriate inter.example.com hosted zones)
With this in place, an A/AAAA record such as myrecord.staging.inter.example.com in the private hosted zone will be resolvable within the VPC, but not on the public internet.
You cannot add NS records in private hosted zone
You're right, my bad.
So if you have a record in the private zone or staging.inter.example.com, something like myrecord.staging.inter.example.com and you try to lookup this from a host that's in teh VPC which is associated with that private zone, what do you get?
If you're trying to lookup from a host outside the VPC that is associated with the private zone, it will fail.
- I added the NS of staging.inter.example.com in the public hosted zone of the inter.example.com in prod account and the A/AAAA records DNS is not resolving.
Note: The A/AAAA records are in private hosted zone
OK I see what you're trying to do.
There is a record in the private hosted zone for staging.inter.example.com and you want to to resolve that publicly.
You're trying to achieve this by going from example.com public zone -> inter.example.com public zone -> staging.inter.example.com private zone, and populating each "parent" zone with the NS for its "child".
So in inter.example.com public zone there will be a record for staging.inter.example.com of type NS, whose value is
ns-0.awsdns-00.com
ns-512.awsdns-00.net
ns-1024.awsdns-00.org
ns-1536.awsdns-00.co.uk
It has to be this because all private zones have these name servers set, but are never used https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html
These name servers are used because the DNS protocol requires that every hosted zone must have an NS record set. These name servers are reserved and never used by Route 53 public hosted zones. You can only query those zones via Route 53 Resolver in a VPC that has been associated to the hosted zone by using an inbound endpoint connected to the VPCs specified in the private hosted zone.
While the name servers are visible on the internet, Route 53 Resolver doesn't connect to the name server addresses. Further, the private hosted zone information is not returned if you directly query the name servers over the internet.
Basically, you can only resolve a record in the private hosted zone of staging.inter.example.com from e.g. an EC2 instance inside the VPC which is associated with that private hosted zone.
Relevant content
- asked 2 years ago
- asked 7 months ago
- asked 3 months ago
- Accepted Answerasked 6 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
They both have separate certificates. Could that be the issue?
It is unlikely that name resolution for A records will become impossible just by setting a certificate. Can I check the domain propagation status? https://www.whatsmydns.net/
dig staging.inter.example.com ns was successful
It was done within the VPC
Please let me know what kind of results are returned when the A record is resolved using the command below.
By the way, please note that even if you set an A record in the private hosted zone, the name cannot be resolved from outside the VPC. When performing public name resolution, be sure to set the record in the public hosted zone. https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html