By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Why is my application or website that's hosted on Route 53 unreachable?

7 minute read
0

I'm running an application or website on Amazon Route 53. However, I can't access my application or website.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Check for domain status issues

1.    Run the following command to check the domain status:

whois domain_name |grep 'status'

If the domain status (Extensible Provisioning Protocol code) is inactive, ServerHold, or ClientHold, then the domain doesn't resolve.

2.    If you see an unusual domain status code, including inactive, ServerHold, or ClientHold, then contact your registrar.

To determine the domain registrar, run the following command:

whois domain_name |grep 'Registrar'

Query your preferred whois domain registration lookup tool for generic or country-specify top-level domains (TLDs).

Check for name server issues

1.    Confirm that your registrar has a correctly configured authoritative name server. To find the authoritative name server, check the authoritative_nameserver value in the name server record set of the public hosted zone.

2.    If you're using Route 53 as your DNS service provider, then verify that you correctly configured each of the four name servers.

To check the name server configuration, run the following command:

whois domain_name |grep 'Name Server'

For example, the output for whois amazon.com |grep 'Name Server' returns the following output:

Name Server: NS1.P31.DYNECT.NET
Name Server: NS2.P31.DYNECT.NET
Name Server: NS3.P31.DYNECT.NET
Name Server: NS4.P31.DYNECT.NET
Name Server: PDNS1.ULTRADNS.NET
Name Server: PDNS6.ULTRADNS.CO.UK

Check for record set issues

To check if you created the required alias (A) record in the hosted zone with the DNS service provider, run the following command:

dig Domain_name record_type

For example, $dig amazon.com A returns the following output:

; <<>> DiG 9.10.6 <<>> amazon.com +question
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29804
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;amazon.com.            IN    A

;; ANSWER SECTION:
amazon.com.        44    IN    A    54.239.28.85
amazon.com.        44    IN    A    205.251.242.103
amazon.com.        44    IN    A    176.32.103.205

;; Query time: 4 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Mar 19 20:28:51 IST 2021
;; MSG SIZE  rcvd: 87

Note: The record type is listed in the Type column of the corresponding resource record set. For more information, see Supported DNS record types.

Check for source issues

For local browsers or mobile devices:

  • Clear your browser cache, and then try to access the domain.
  • Check if you're requesting the correct domain. Mobile device browsers might append www when they request the domain.

For an on-premises machine that's connected to an Amazon Virtual Private Cloud (Amazon VPC) or AWS resource that uses VPC .2 Resolver:

If you have private and public hosted zones with overlapping namespaces (example.com and accounting.example.com), then Resolver routes traffic based on the most specific match. When there's a matching private hosted zone but no record that matches the domain name and type in the request, Resolver doesn't forward the request. Instead, it returns an NXDOMAIN (non-existent domain) error to the client. If you unintentionally created a private hosted zone with overlapping namespaces, then you can delete the private hosted zone.

Check for record caching issues

1.   Check if the record value that returned from the DNS resolver matches the value that returned from the authoritative name server. If the domain doesn't resolve to the expected IP address, then the DNS resolver might have cached the value:

dig domain_name record_type @authorative_name_server

For example, $dig amazon.com @NS1.P31.DYNECT.NET returns the following output:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.64.amzn1 <<>> amazon.com @NS1.P31.DYNECT.NET
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63711
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;amazon.com.            IN    A

;; ANSWER SECTION:
amazon.com.        60    IN    A    205.251.242.103
amazon.com.        60    IN    A    54.239.28.85
amazon.com.        60    IN    A    176.32.103.205

;; Query time: 2 msec
;; SERVER: 208.78.70.31#53(208.78.70.31) 
;; WHEN: Fri Mar 19 15:08:52 2021
;; MSG SIZE  rcvd: 76

If the domain resolves to an unexpected IP address, then clear your browser cache.

2.   Check if you see the same results with the public resolver:

dig domain @public_resolver_Ip

For example, $dig amazon.com @8.8.8.8 returns the following output:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.64.amzn1 <<>> amazon.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26860
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;amazon.com.            IN    A

;; ANSWER SECTION:
amazon.com.        15    IN    A    205.251.242.103
amazon.com.        15    IN    A    54.239.28.85
amazon.com.        15    IN    A    176.32.103.205

;; Query time: 1 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Mar 19 15:09:41 2021
;; MSG SIZE  rcvd: 76

If the public resolver returns the expected answer, then the issue is likely with the DNS resolver on the local machine.

Check for DNSSEC issues

Confirm that you correctly configured DNSSEC for your domain. To check if there are DNSSEC issues with the domain, use the DNSSEC analyzer tool or your preferred tool.

Pass the DNSSEC to see if you're getting the expected results:

dig domain_name +cd

For example, $ dig amazon.com +cd returns the following output:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.64.amzn1 <<>> amazon.com +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55636
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;amazon.com.            IN    A

;; ANSWER SECTION:
amazon.com.        29    IN    A    205.251.242.103
amazon.com.        29    IN    A    176.32.103.205
amazon.com.        29    IN    A    54.239.28.85

;; Query time: 2 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Mar 19 15:10:13 2021
;; MSG SIZE  rcvd: 76

Check for web server issues

If you see the expected IP address for the domain in a curl command output, then check that you receive the Expected HTTP response (on the Internet Engineering Task Force website) from the server:

  • 1XX (Informational)
  • 2XX (Successful)
  • 3XX (Redirection)
  • 4XX (Client Error)
  • 5XX (Server Error)

If the DNS resolution works as expected but the server isn't responding, then the issue is with the web server where the website or application is hosted. To check for web server issues, run the following command:

curl -Iv http://domain_name:Port/Path

For example, $ curl -Iv http://amazon.com:80 returns the following output:

* Rebuilt URL to: http://amazon.com:80/
*   Trying 176.32.103.205...   <--- Indicates no issues with the DNS resolution as we are getting expected IP address for the domain amazon.com.
* TCP_NODELAY set
* Connected to amazon.com (176.32.103.205) port 80 (#0)
> HEAD / HTTP/1.1
> Host: amazon.com
> User-Agent: curl/7.61.1
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: Server
Server: Server
< Date: Fri, 19 Mar 2021 15:11:18 GMT
Date: Fri, 19 Mar 2021 15:11:18 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 179
Content-Length: 179
< Connection: keep-alive
Connection: keep-alive
< Location: https://amazon.com/
Location: https://amazon.com/

< 
* Connection #0 to host amazon.com left intact

Note: The Port value is the web server port that the website or application is configured to listen on.

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago