Millions of NS queries for simple website

Question

I've published a simple website on AWS Amplify, and I'm using AWS Route 53 for DNS as my domain registrar (IONOS) doesn't support ALIAS records. So I created a hosted zone for my domain and took those 4 NS entries and configured in IONOS for this domain to use these nameservers.  
  
The same 4 were configured in IONOS, matching the hosted zone details and hosted zone ns entry:  
ns-365.awsdns-45.com  
ns-1213.awsdns-23.org  
ns-867.awsdns-44.net  
ns-1892.awsdns-44.co.uk  
  
Everything was working fine for a while, and then I started seeing half a million NS record lookups per hour, costing me hundreds of dollars for what supposed to be a simple front end:

Yesterday I reset the IONOS names servers and repointed my domain to my pre-prod environment, deleted the hosted zone and re-deployed it in a different region. I then re-implemented the AWS NS entries and the issue started up again, so for now I've re-pointed back to my server at home and I'm still seeing all of these mysterious lookups (no A or CNAME or anything, just NS queries).  
  
Does anybody have any insight on what could be causing this and how to resolve? I'm at a loss at this point.  
  
Thanks in advance for any advise.

Answer

Thanks for the reply.  
  
I thought it may have been something like that, but wouldn't the issue stop once I reversed the NS entries in IONOS? I did check and it appears to be propagated worldwide.   
  
Which TTLs are you refering to?  
  
Here are my AWS TTLs, it doesn't appear I can change it for that A record:

Doesn't look like IONOS has this exposed to their customers. They say changes may take up to 48 hours so perhaps the typical 172800 for NS entries?

Answer

Aww well I didn't realize that IP was the source of these calls, I didn't even look it before. I think the "resolverIP" label confused me.  
  
Anyways, like you mentioned before it's definitely coming from my registrar, probably not an AWS issue. Time to get on the phone with IONOS again....  
  
Thanks for being a sounding board, I'll mark this as answered.

Answer

The reverse DNS for that IP is dnsregistrygw01.1and1.org. Maybe they have some sort of monitoring system that went haywire.  
  
(The TTL wasn't set to 0 or something, was it?)

Answer

> _FoxyRoxy wrote:_    
> I thought it may have been something like that, but wouldn't the issue stop once I reversed the NS entries in IONOS? I did check and it appears to be propagated worldwide.   
  
Maybe. There's no way for us to know how the software -- whatever it is -- on 82.165.226.228 is supposed to work.  
  
> Which TTLs are you refering to?  
>   
> Here are my AWS TTLs, it doesn't appear I can change it for that A record:  
>    
  
I meant the response to www.roxanalifshitz.com NS on AWS. The negative TTL in your screenshot would be 900 seconds, so assuming AWS isn't buggy, a normal resolver should cache the response and shouldn't make so many queries.

Millions of NS queries for simple website

Relevanter Inhalt