By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Millions of NS queries for simple website

0

I've published a simple website on AWS Amplify, and I'm using AWS Route 53 for DNS as my domain registrar (IONOS) doesn't support ALIAS records. So I created a hosted zone for my domain and took those 4 NS entries and configured in IONOS for this domain to use these nameservers.

The same 4 were configured in IONOS, matching the hosted zone details and hosted zone ns entry:
ns-365.awsdns-45.com
ns-1213.awsdns-23.org
ns-867.awsdns-44.net
ns-1892.awsdns-44.co.uk

Everything was working fine for a while, and then I started seeing half a million NS record lookups per hour, costing me hundreds of dollars for what supposed to be a simple front end:

https://foxy-roxy-public-bucket.s3.amazonaws.com/Screenshot_from_2021-02-26+13-07-56.png

Yesterday I reset the IONOS names servers and repointed my domain to my pre-prod environment, deleted the hosted zone and re-deployed it in a different region. I then re-implemented the AWS NS entries and the issue started up again, so for now I've re-pointed back to my server at home and I'm still seeing all of these mysterious lookups (no A or CNAME or anything, just NS queries).

Does anybody have any insight on what could be causing this and how to resolve? I'm at a loss at this point.

Thanks in advance for any advise.

Topics
Networking & Content Delivery
Tags
Amazon Route 53
Language
English
FoxyRoxy
asked 3 years ago245 views
4 Answers
0

The reverse DNS for that IP is dnsregistrygw01.1and1.org. Maybe they have some sort of monitoring system that went haywire.

(The TTL wasn't set to 0 or something, was it?)

mnordhoff
answered 3 years ago
0

Thanks for the reply.

I thought it may have been something like that, but wouldn't the issue stop once I reversed the NS entries in IONOS? I did check and it appears to be propagated worldwide.

Which TTLs are you refering to?

Here are my AWS TTLs, it doesn't appear I can change it for that A record:
https://foxy-roxy-public-bucket.s3.amazonaws.com/Screenshot_from_2021-02-26+14-47-35.png

Doesn't look like IONOS has this exposed to their customers. They say changes may take up to 48 hours so perhaps the typical 172800 for NS entries?

FoxyRoxy
answered 3 years ago
0

FoxyRoxy wrote:
I thought it may have been something like that, but wouldn't the issue stop once I reversed the NS entries in IONOS? I did check and it appears to be propagated worldwide.

Maybe. There's no way for us to know how the software -- whatever it is -- on 82.165.226.228 is supposed to work.

Which TTLs are you refering to?

Here are my AWS TTLs, it doesn't appear I can change it for that A record:
https://foxy-roxy-public-bucket.s3.amazonaws.com/Screenshot_from_2021-02-26+14-47-35.png

I meant the response to www.roxanalifshitz.com NS on AWS. The negative TTL in your screenshot would be 900 seconds, so assuming AWS isn't buggy, a normal resolver should cache the response and shouldn't make so many queries.

mnordhoff
answered 3 years ago
0

Aww well I didn't realize that IP was the source of these calls, I didn't even look it before. I think the "resolverIP" label confused me.

Anyways, like you mentioned before it's definitely coming from my registrar, probably not an AWS issue. Time to get on the phone with IONOS again....

Thanks for being a sounding board, I'll mark this as answered.

FoxyRoxy
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content