Unable to Resolve DNS and Access Internet on EC2 Instance

0

Hey All, I am experiencing a DNS resolution issue with my EC2 instance in the eu-west-2 region. The instance is unable to resolve domain names and access the internet, which is affecting our project's testing and deployment phases.

Here is a summary of the issue and steps taken:

Instance Details:

Region: eu-west-2 AMI: Ubuntu 24.04 LTS

Issue Description: Running sudo apt update results in "Temporary failure resolving" errors for both Ubuntu repositories and security updates. ping and dig commands to external domains (e.g., google.com) fail with DNS resolution errors. The instance can ping IP addresses directly (e.g., 8.8.8.8), indicating network connectivity is present, but DNS resolution is not functioning. Steps Taken:

Verified /etc/resolv.conf contains the correct DNS servers (8.8.8.8, 8.8.4.4). Stopped and disabled systemd-resolved to prevent interference. Checked the VPC's DHCP option set, which uses AmazonProvidedDNS. Verified that the security groups and network ACLs allow outbound DNS and HTTP/HTTPS traffic. Contacted multiple cloud developers to troubleshoot the issue, but it remains unresolved.

Could you please provide guidance on resolving this DNS issue? It is critical to get this resolved to proceed with our project's testing and completion by the end of this month.

Thank you for your assistance.

asked 2 months ago308 views
3 Answers
1

It's best to set 169.254.169.253 as your DNS server and not to use external DNS servers, like Google's. That's the AWS-provided Route 53 Resolver in your VPC. https://docs.aws.amazon.com/vpc/latest/userguide/AmazonDNS-concepts.html

Do you get DNS replies from 169.254.169.253?

Normally, your Ubuntu installation should be obtaining these settings via DHCP, and when your VPC's DHCP option set is configured with AmazonProvidedDNS, as you mentioned, this local DNS service in the VPC should be configured automatically also in Ubuntu, without manually configuring resolv.conf.

EXPERT
Leo K
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • I am not able to ping 169.254.169.253

0

Hello,

  • Read this reposte article and set up DNS using the netplan configuration file. The below document is common for all Ubuntu 18.04+ versions.

Notes: indentation is important in Netplan configuration file, so be careful.

After update file execute following commands

  • # sudo netplan try

Before execute below command confirm no errors on netplan file

  • # sudo netplan generate
  • # sudo netplan --debug apply
  • Reboot the instance.
  • To confirm that the system correctly picks up the intended DNS server IP addresses, run the systemd-resolve command:
  • systemd-resolve --status

If this solves your issue, please feel free to accept this answer.

profile picture
answered 2 months ago
0

If you have got something like ncat installed then you can use this to prove that port 53 is open to the target:

$ ncat -vz 8.8.8.8 53
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Connected to 8.8.8.8:53.
Ncat: 0 bytes sent, 0 bytes received in 0.03 seconds.

If this works for you then it look more like something in the Ubuntu DNS config itself, and not network-related.

Can you take the resolv.conf out of the equation and force queries to use a particular DNS resolver? https://www.lifewire.com/free-and-public-dns-servers-2626062

This forces it to use Google, regardless of what's in resolv.conf (and try the same for CloudFlare, OpenDNS, etc.).

$ nslookup repost.aws 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	repost.aws
Address: 18.65.244.47
Name:	repost.aws
Address: 18.65.244.50
Name:	repost.aws
Address: 18.65.244.20
Name:	repost.aws
Address: 18.65.244.103

If none of these on that link work for you, then verify that the outbound DNS port 53 is definitely open in the instance's security group, and allowed in the NACL associated with the subnet.

Also I note that you say:

Verified that the security groups and network ACLs allow outbound DNS and HTTP/HTTPS traffic.

Can you curl or wget a simple webpage, which proves that you can get out on the HTTP/HTTPS port? e.g. $ curl https://www.google.com/

If HTTP/HTTPS is working but DNS isn't then look at what you may have done differently when you allowed traffic for each of these services.

profile picture
EXPERT
Steve_M
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions