How can I troubleshoot issues with my Route 53 failover routing policy?

4 minute read
0

I configured an Amazon Route 53 failover routing policy. However, when I test the DNS resolution, I see unexpected results.

Short description

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

When you associate health checks with only the primary failover record, the following scenarios occur:

  • If the primary record is unhealthy, then a DNS query returns the secondary record.
  • If there's no health check for the secondary record, then the secondary record is always treated as healthy.
  • If the primary health check becomes healthy again, then Route 53 fails over to the primary record and provides a response to a DNS query.

When you associate health checks with both the primary and secondary failover records, the following scenarios occur:

  • If the primary record is healthy, then a DNS query returns the primary record.
  • If the primary record is unhealthy and the secondary record is healthy, then a DNS query returns the secondary record.
  • If both records are unhealthy, then a DNS query returns the primary record.

When you configure the secondary record, adding a health check is optional. When there's no health check for the secondary record and the primary record is unhealthy, Route 53 responds to DNS queries using the secondary record. This applies even when the resources that are mapped to the secondary record are unhealthy. If the secondary record doesn't have a health check associated with it, then Route 53 returns the secondary record.

Suppose that you configure the health check for an alias record type and set Evaluate target health (ETH) to true. In this case, Route 53 checks the health of the resource that the alias record references before it returns the alias record. If you associate a health check with alias record, then the health check and your alias’s ETH must be healthy to return the alias record.

Note: If your alias record set points towards another record (target) in same hosted zone, then the target record must have an associated health check. Otherwise, Route 53 considers the alias record healthy and includes it with possible responses to queries.

Resolution

1.    To test the configuration of your record set, use the DNS checking tool.

2.    To query the DNS configuration, use the dig or nslookup tools. Be sure to replace the placeholder URLs in the following commands with your corresponding values:

$ dig abc.example.com

$ nslookup abc.example.com

3.    Using the information that you find in steps 1-2, determine whether the issue relates to the primary or secondary record.

4.    Check the health check configuration to determine if health checks are reporting as healthy. For more information, see How Amazon Route 53 checks the health of your resources. If you identify failing health checks, then see Viewing health check status and the reason for health check failures.

5.    If you see that the health check is healthy but you still see unexpected results, then check the record resolution. To do this, send the query to one of your domain hosted zone authoritative name servers or another public resolver:

$ dig abc.example.com @AuthoritativeNameServer

$ nslookup abc.example.com AuthoritativeNameServer

$ dig abc.example.com @DNSResolver_IP

$ nslookup abc.example.com DNSResolver_IP

Note: Replace AuthoritativeNameServer with your name server. Replace DNSResolver_IP with your public resolver IP address.

If you see an expected output, then the problem is most likely an intermediate or local DNS resolver cache issue.

Related information

Configuring DNS failover

How Amazon Route 53 determines whether a health check is healthy

Advanced configuration ("Monitor an endpoint" only)

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago