Why isn't the alias record that points to my CloudFront distribution resolving?

6 minute read
1

I configured an alias record that points to my Amazon CloudFront distribution in an Amazon Route 53 public hosted zone. However, I can't resolve the record over the internet.

Short description

The following reasons can prevent you from resolving the alias record that points to a CloudFront distribution:

  • You misconfigured the alias record that corresponds to the CloudFront distribution.
  • The CloudFront distribution isn't listed in the Alias record dropdown menu on the Route 53 console.
  • You didn't create the alias record in the authoritative hosted zone for the domain.
  • The status of the domain is inactive, serverHold, or clientHold.
  • There's an unhealthy health check that's associated with the alias record.
  • The record isn't propagated globally.
  • When DNSSEC is turned on for the domain, the Delegation Signer (DS) records are wrong.

Resolution

Check the alias record type

If you misconfigured the alias record, then the DNS record can't resolve. You must configure CloudFront alias record types as Type A instead of CNAME.

To confirm the Route 53 alias record type, complete the following steps:

1.    Open the Route 53 console.

2.    In the navigation pane, choose Hosted Zones.

3.    Select the hosted zone for your domain.

4.    Select the Route 53 alias record for your domain.

5.    In Edit Record Set, confirm that the Record type for the Alias record is set to A. If the record type isn't set to A, then update the record.

6.    Choose Save record set.

Create the record if the CloudFront distribution isn't listed in the Alias record dropdown menu

To create an alias record that points to your CloudFront distribution, your distribution must include an alternate domain name that matches the name of the record. For example, if the name of the record is abc.example.com, then the CloudFront distribution must include abc.example.com as one of the alternate domain names.

1.    Log in to the CloudFront console.

2.    Navigate to your CloudFront distribution.

3.    Choose General, Settings, Edit.

4.    In the Settings page, add abc.example.com in Alternate domain name (CNAME).

Note: If you're adding a CNAME record that already exists, then you receive the following error:

"One or more of the CNAMEs you provided are already associated with a different resource"

To resolve the preceding error, add the record in the Route 53 hosted zone. Then, choose Alias to CloudFront distribution to create the alias record for abc.example.com. The CloudFront distribution domain name is listed in the dropdown menu.

Check the domain name servers that are configured at the registrar

When you create a hosted zone for your domain, Route 53 assigns a set of four name servers to the hosted zone. The hosted zone is used for your domain resolution only if its name servers are specified at the domain's registrar.

Confirm that your registrar returns the same four authoritative name servers as those that are assigned to the hosted zone where you created the alias record. To check the name servers that are configured on the registrar, run the following command to perform a whois lookup on your domain:

$ whois domain-name |grep 'Name Server'

Review the name servers assigned to your hosted zone. If the name servers don't match the whois lookup results, then your hosted zone isn't used for domain resolution. You must update the name servers at the domain registrar.

If the domain is registered with Route 53, then see Adding or changing name servers and glue records for a domain. If the domain is registered with a third party, then see the third-party documentation for steps on how to update the name servers.

If the name servers aren't configured correctly at the AWS registrar, complete the following steps:

1.    Open the Route 53 console.

2.    Choose Registered domains.

3.    Select your domain.

4.    Choose Add/edit name server.

5.    Replace the current name servers with the following ones. In the following examples, replace the xxx placeholders with the correct values for your name servers.
ns-xxx.awsdns-xx.org.
ns-xxx.awsdns-xx.com.
ns-xxx.awsdns-xx.net.
ns-xxx.awsdns-xx.co.uk.

6:    Choose Save.

Check the domain status

If the domain status is inactive, ServerHold, or clientHold, then the domain can't resolve. You can run the whois lookup command to check the status of the domain:

$ whois domain-name |grep 'Domain Status'

Check for health checks that are associated with the alias record

If there's a health check that's associated with the alias record, then check the status of the health check. The value that's returned during the DNS lookup depends on the routing policies and health check configuration of the record.

Check the record propagation

Usually, Route 53 propagates DNS record updates to the Route 53 global network of authoritative DNS servers within 60 seconds. However, caching DNS resolvers is beyond the scope of Route 53. So, Amazon Route 53 caches your resource record sets according to their TTL value.

The local resolver caches the previous record value for the duration of the configured TTL. In some cases, there might be negative caching where the resolvers cache the NXDOMAIN results from authoritative name servers. To check for negative caching, send a query directly to the name server that's assigned to your domain's hosted zone to check for a response. The following is an example command to check for negative caching:

$ dig domain-name @ns-2041.awsdns-63.co.uk

When DNSSEC is turned on, check the DS records

A DS record establishes a chain of trust between the parent and child hosted zones when DNSSEC is turned on. This record contains a digest of the public key-signing keys (KSKs) used to sign a DNS zone's zone-signing key (ZSK) and the signing algorithm type. You must add the DS record to the parent zone of a delegation. The DS record is authoritative data in the parent zone.

For example, the DS record for "example.com" is stored in the ".com" zone (the parent zone), not the "example.com" zone (child zone).

Provide the public KSK and signing algorithm type to your domain registrar to create a DS record. The domain registrar forwards the public KSK and the algorithm type to the registry for the top-level domain.

AWS OFFICIAL
AWS OFFICIALUpdated a year ago