Ongoing service disruptions

For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?

How do I troubleshoot DNS resolution issues for records in Route 53 public hosted zones?

6 minute read

I want to resolve DNS resolution issues for domains and records in my Amazon Route 53 hosted zones.

Short description

The following issues can prevent DNS resolution for domains and records in Route 53 hosted zones:

Mismatches between your registrar and Route 53 name servers.
Incorrect DNS records in Route 53.
Frequent record changes.
Incorrect subdomain delegation.
DNS propagation delays
Firewalls or network access control lists (network ACLs) that block DNS responses.
Health checks that affect your routing.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Troubleshoot mismatches between your registrar and your Route 53 name servers

If the name servers that you configure in your domain registrar and your Route 53 hosted zone don't match, then your domain doesn't resolve correctly.

To verify that your name servers match, complete the following steps:

Run the whois command to check your registrar-level name servers:
```
whois example-url | grep example-name-server
```
Note: Replace example_url with your URL and example_name_server with your name server.
Use the Route 53 console to get the name servers for your hosted zone.
Compare the whois command's output with your hosted zone's name servers.

If the name servers don't match, then update your registrar to match your hosted zone.
Based on the following example outputs, you must update the registrar to include ns-2050.awsdns-66.org and ns-2051.awsdns-67.co.uk.
whois output:

Name Server: ns-2048.awsdns-64.com  
Name Server: s-2049.awsdns-65.net

Name servers in the hosted zone:

ns-2048.awsdns-64.com  
ns-2049.awsdns-65.net  
ns-2050.awsdns-66.org  
ns-2051.awsdns-67.co.uk

Troubleshoot incorrect DNS records in Route 53

Run the dig command to display your DNS record based on your DNS record type:

dig example_type example_url +short

Note: Replace example_type with your DNS record type and example_url with your URL.

Then, complete the following troubleshooting steps based on your DNS record type.

Example output:

192.0.2.44

Confirm that the IP address in your output matches the IP address of your server host.

TXT

Example output:

"v=spf1 include: _spf.example _ url ~all"

Include a blank space between the two parts, and don't wrap your TXT values in double quotation marks. For more information, see How do I resolve the "CharacterStringTooLong (Value is too long) encountered with {Value}" error that I receive when I create a TXT record with DKIM syntax?

Example output:

10 mail.example_URL.com

Route 53 doesn't support the @ symbol in record names. If your record names include the @ symbol, then remove it.

CNAME

Example output:

www.example_url.com

Verify that your record points to the correct URL.

AAAA (IPv6)

Example output:

2001:0db8:85a3:0000:0000:8a2e:0370:7334

Verify that the IPv6 address matches your server's configuration.

For a full list of DNS record types that Route 53 supports, see Supported DNS record types.

Troubleshoot frequent record changes that cause unintended DNS caching

DNS recursive resolvers cache DNS records based on your routing policy's Time to Live (TTL) value. If you frequently change your records, then your changes don't instantly propagate because of DNS caching.

Run the dig command to check your TTL value:

`dig example_url +ttlunits`

Note: Replace example_url with your URL.

In the following example output, the example_url TTL value is 300 seconds:

example_url 300 IN A 192.0.2.44

Before you change your DNS records, lower your TTL value to 60 seconds or less. Then, run the dig command from multiple locations to verify that your new TTL value is in effect. You can also run the nslookup command from different ISPs to check your TTL value:

nslookup -type=A -debug www.example_url.com

For best practices on TTL values, see the Choosing TTL values for DNS records section of Best practices for Amazon Route 53 DNS.

Troubleshoot incorrect subdomain delegations

Review your subdomain delegation for errors that cause broken name resolutions.

Note: In the following examples, sub.example.com is a subdomain of example.com.

Run the dig and trace commands to identify your domain's name server records:

dig +trace sub.example.com

In the following example output, ns-123.awsdns-45.net and ns-124.awsdns-46.org are sub.example.com name servers:

;; Received 512 bytes from a.root-servers.net  
...  
sub.example.com. 300 IN NS ns-123.awsdns-45.net.  
sub.example.com. 300 IN NS ns-124.awsdns-46.org.

Verify that the name server records for your subdomains match the DNS name server records in the following zones:

Your parent zone
The delegated zone in Route 53

If your subdomain's name server records don't match DNS name server records, then update your DNS service.

For more information, see How do I troubleshoot DNS resolution issues for a new subdomain in Route 53?

Troubleshoot DNS propagation delays

To check your domain name's global propagation, use the DNS Propagation Checker on the whatsmydns.net website. Verify that your record values updated across every global location.

If your record values aren't consistent, then make sure that your TTL value is 60 seconds or less and then clear your DNS cache. If you still encounter DNS record propagation delays, then contact your registrar or DNS provider for assistance.

Troubleshoot firewalls or network ACLs that block DNS responses

Verify that the firewalls and network ACLs in your server and your virtual private cloud (VPN) allow traffic on port 53.

Troubleshoot health checks that affect your routing

If your domain fails a health check, then Route 53 might remove your domain's DNS records from DNS responses.

Run the following get-health-check-status AWS CLI command to check your domain's health check status:

aws route53 get-health-check-status --health-check-id example-domain-ID

Note: Replace example-domain-ID with your domain's identification number.

If your domain's Status is Failure or Last failure reason, then troubleshoot your unhealthy health check.

Related information

Creating a subdomain that uses Amazon Route 53 as the DNS service without migrating the parent domain

Topics: Networking & Content Delivery
Tags: Amazon Route 53
Language: English

AWS OFFICIALUpdated 7 months ago

No comments

Relevant content

CNAME Records Show Updated in Route 53 Hosted Zone But Not Propagating Externally - Need Troubleshooting Help
Good Vybz
asked 4 months ago
Forward queries to public DNS servers if Private Hosted Zone doesn't have specific record
rePost-User-2148365
asked 3 years ago
ECS container is unable to resolve my public Route 53 DNS record
Accepted Answer
Adam Gantt
asked a year ago
Can you validate an ACM public certificate using a domain record in a Route 53 private hosted zone?
Accepted Answer
AWS-User-2983741
asked 8 years ago
Why there is DNS Propagation Delays For Route 53 Hosted website
Ravi
asked 3 months ago
How do I troubleshoot DNS resolution issues for a new subdomain in Route 53?
AWS OFFICIALUpdated 7 months ago
How do I troubleshoot DNS resolution issues in my Route 53 private hosted zone?
AWS OFFICIALUpdated 9 months ago
How do I troubleshoot and resolve CNAME record resolution issues with private hosted zones and cross-account setups in AWS Route53?
AWS OFFICIALUpdated 7 months ago
How do I resolve DNS propagation delays and inconsistencies in Route 53?
AWS OFFICIALUpdated 3 months ago
Automate migrations of Amazon Route53 hosted zones between AWS accounts
EXPERT
Edoardo
published a year ago