How do I troubleshoot DNS resolution issues for a new subdomain in Route 53?

Resolution

Prerequisites:

• You have a valid registered parent domain with Route 53 or another registrar.
• You configured a public hosted zone for the subdomain in Route 53.
• The DNS resolution works correctly for your parent domain.
• You correctly configured the hosted zone for the subdomain.

Note: Subdomain delegation fails when DNS resolvers can't access the parent domain's records.

Check subdomain delegation

If you receive the "NXDOMAIN" error, then check the start of authority (SOA) record under AUTHORITY SECTION. When the response comes from the example.com parent hosted zone, no subdomain delegation exists for subdomain.example.com. To resolve this issue, add name server records in the parent domain's hosted zone that point to your Route 53 subdomain's name servers.

Example of an unsuccessful DNS resolution response:

dig web.subdomain.example.com

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> web.subdomain.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2359
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;web.subdomain.example.com.            IN    A

;; AUTHORITY SECTION:
example.com.        1800    IN    SOA    ns1.example.com. dns.example.com. 2370015069 10000 2400 604800 1800

Note: In the preceding example, the example.com parent zone doesn't contain delegation records for the subdomain.example.com subdomain.

Check name server configuration for the subdomain

If you receive the "SERVFAIL" error with the "No Reachable Authority" and "REFUSED" status, then the parent domain's name server records aren't authoritative. To resolve this issue, update the name server records in the parent domain to match the name servers in your Route 53 subdomain hosted zone.

Example of an unsuccessful response:

dig web.subdomain.example.com @1.1.1.1

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> web.subdomain.example.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10872
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 22 (No Reachable Authority): (at delegation subdomain.example.com.)
; EDE: 23 (Network Error): (205.251.255.254:53 rcode=REFUSED for web.subdomain.example.com A)

;; QUESTION SECTION:
;web.subdomain.example.com.        IN    A

Note: In the preceding example, the example.com parent zone contains an incorrect name server record for the subdomain.example.com subdomain.

The "SERVFAIL" error can also occur when both the parent domain and subdomain have network issues or firewall blocks. If your DNS configuration is correct and this error occurs, then contact your DNS resolver or Internet Service Provider (ISP) to resolve potential network issues.

Check whether a record exists for the subdomain

If you receive the "NXDOMAIN" error and the AUTHORITY SECTION shows a response from the subdomain, then the queried record doesn't exist in your hosted zone. To resolve this issue, create the record in your subdomain's hosted zone.

Example of an unsuccessful response:

dig lb.subdomain.example.com

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> lb.subdomain.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45381
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;lb.subdomain.example.com.            IN    A

;; AUTHORITY SECTION:
subdomain.example.com.        300    IN    SOA    ns-a.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

Check record type mismatch

If you receive a "NOERROR" status with no IP address in the response, then the record name exists with a different record type than requested.

Example of an unsuccessful response:

dig mail.subdomain.example.com

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> mail.subdomain.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45381
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;mail.subdomain.example.com.            IN    A

;; AUTHORITY SECTION:
subdomain.example.com.        300    IN    SOA    ns-a.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

Note: In the example, A is the queried record type but the subdomain mail.subdomain.example.com has an MX or TXT record instead.

To resolve this issue, edit the existing record type or create a new record with the correct type in your subdomain's hosted zone.

After you edit or create a new record type, run the following dig command to check DNS resolution for the record type:

dig DOMAIN TYPE 

Note: Replace DOMAIN with your domain name and TYPE with your record type.

Related information

Public DNS query logging

Creating a subdomain that uses Amazon Route 53 as the DNS service without migrating the parent domain

Routing traffic for subdomains

How can I identify and troubleshoot DNSSEC configuration issues in Route 53?