How does DNS work and how do I troubleshoot partial or intermittent DNS failures?

Resolution

DNS overview

DNS routes users to Internet applications by translating easy-to-remember names (for example, www.example.com) into numeric IP addresses such as 192.0.2.1. This process is called “DNS resolution.” An authoritative name server resolves a domain name to an IP address or multiple IP addresses and passes the IP address through the chain of DNS resolvers to the client (for example, the computer of someone requesting to view a website). The client then uses that IP address to connect to the server where the website is hosted. When DNS isn't functioning correctly, then DNS servers can't resolve domain names. So, the DNS servers can't provide clients the IP address of the server the website is hosted on. This means those websites can't be accessed from the Internet.

For more information, see What is DNS?

Partial, temporary, or intermittent DNS failure scenarios

In some cases, a client suffers from DNS failures for a short period of time or intermittently. The following are common scenarios that might cause partial DNS failure:

Scenario 1: Misconfigured name servers at the registrar

Sometimes one or more name servers are misconfigured on the registrar. A "whois" lookup provides the name servers that are configured on the registrar of the domain. In this case, during the DNS resolution, if registered name servers don't respond or respond with unexpected information, then the local resolver returns a SERVFAIL message. However, in some cases, local resolvers can try the request with a different name server and can return the result.

Additionally, the local resolvers can cache the wrong name servers for the TTL time and can send the next query to the misconfigured name server.

Scenario 2: Altered name servers at the hosted zone

Another reason for partial DNS failure is when the NS record for a domain is misconfigured in the hosted zone. In this case, either the existing name servers were updated or some additional name servers were added to the value of the NS record.

In this case, some clients might experience partial DNS failures, if the resolver tries to resolve the domain using the wrong name server.

Scenario 3: Client's DNS resolver can't resolve the domain

Sometimes clients set custom or incorrect resolvers in the resolver configuration file, such as resolv.conf in Linux. If this is the case, and you're resolving the domain from an Amazon Elastic Compute Cloud (Amazon EC2) instance in an Amazon Virtual Private Cloud (Amazon VPC), then the EC2 instance uses the name servers defined in resolv.conf.

Scenario 4: Amazon-provided DNS server throttling the DNS queries

Amazon-provided DNS servers enforce a limit of 1024 packets per second per elastic network interface. Amazon-provided DNS servers reject any traffic exceeding this limit. Because of the DNS throttling, the DNS timeouts intermittently. You can turn on caching at the instance or increase the DNS retry timer on the application to resolve this issue.

Scenario 5: The domain URL resolves from the internet, but not from the EC2 instance

DNS queries for your domain always resolve from the private hosted zone if you've done the following:

• Created a private hosted zone with the same name as your domain.
• Associated your VPC with the private hosted zone and VPC DHCP options configured with AmazonProvidedDNS.

If the queried record for your domain isn't present in the private hosted zone, then the DNS query fails and isn't forwarded to the public domain. Because the DNS record is present in the public domain zone, it does resolve from the internet.

Troubleshoot DNS failures on Linux-based operating systems

Use the dig command to perform a lookup against the client DNS server that's configured in the host's /etc/resolv.conf file.

$ dig www.amazon.com
    
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.49.amzn1 <<>> www.amazon.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13150
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.amazon.com.    IN    A

;; ANSWER SECTION:
www.amazon.com.        41    IN    A    54.239.17.6

;; Query time: 1 msec
;; SERVER: 10.108.0.2#53(10.108.0.2)
;; WHEN: Fri Oct 21 21:43:11 2016
;; MSG SIZE rcvd: 48

In the preceding example, the answer section shows that 54.239.17.6 is the IP address of the HTTP server for www.amazon.com.

If you add the +trace variable, the dig command can also perform a recursive lookup of a DNS record, as shown in the following example:

$ dig +trace www.amazon.com
    
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.49.amzn1 <<>> +trace www.amazon.com
;; global options: +cmd
.        518400    IN    NS    J.ROOT-SERVERS.NET.
.        518400    IN    NS    K.ROOT-SERVERS.NET.
.        518400    IN    NS    L.ROOT-SERVERS.NET.
…
;; Received 508 bytes from 10.108.0.2#53(10.108.0.2) in 31 ms

com.        172800    IN    NS    a.gtld-servers.net.
com.        172800    IN    NS    b.gtld-servers.net.
com.        172800    IN    NS    c.gtld-servers.net.
…
;; Received 492 bytes from 193.0.14.129#53(193.0.14.129) in 93 ms
amazon.com.        172800    IN    NS    pdns1.ultradns.net.
amazon.com.        172800    IN    NS    pdns6.ultradns.co.uk.
…
;; Received 289 bytes from 192.33.14.30#53(192.33.14.30) in 201 ms
www.amazon.com.    900    IN    NS    ns-1019.awsdns-63.net.
www.amazon.com.    900    IN    NS    ns-1568.awsdns-04.co.uk.
www.amazon.com.    900    IN    NS    ns-277.awsdns-34.com.
…
;; Received 170 bytes from 204.74.108.1#53(204.74.108.1) in 87 ms

www.amazon.com.    60     IN    A    54.239.26.128
www.amazon.com.    1800   IN    NS   ns-1019.awsdns-63.net.
www.amazon.com.    1800   IN    NS   ns-1178.awsdns-19.org.
…
;; Received 186 bytes from 205.251.195.251#53(205.251.195.251) in 7 ms

You can also perform a query that returns only the name servers, as shown in the following example:

$ dig -t NS www.amazon.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.49.amzn1 <<>> -t NS www.amazon.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48631
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.amazon.com.        IN    NS

;; ANSWER SECTION:
www.amazon.com.        490    IN    NS    ns-1019.awsdns-63.net.
www.amazon.com.        490    IN    NS    ns-1178.awsdns-19.org.
www.amazon.com.        490    IN    NS    ns-1568.awsdns-04.co.uk.
www.amazon.com.        490    IN    NS    ns-277.awsdns-34.com.

;; Query time: 0 msec
;; SERVER: 10.108.0.2#53(10.108.0.2)
;; WHEN: Fri Oct 21 21:48:20 2016
;; MSG SIZE rcvd: 170

In the preceding example, www.amazon.com has the following four authoritative name servers:

• ns-1019.awsdns-63.net.
• ns-1178.awsdns-19.org.
• ns-1568.awsdns-04.co.uk.
• ns-277.awsdns-34.com.

Any of these four servers can authoritatively answer questions about the www.amazon.com host name. Use the dig command to directly target a specific name server. Check whether every authoritative name server for a given domain answers correctly.

The following is example output for a query to www.amazon.com to one of its authoritative name servers (ns-1019.awsdns-63.net). The server response indicates that www.amazon.com is available on 54.239.25.192:

$ dig www.amazon.com @ns-1019.awsdns-63.net.
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.49.amzn1 <<>> www.amazon.com @ns-1019.awsdns-63.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31712
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.amazon.com.    IN    A

;; ANSWER SECTION:
www.amazon.com.        60    IN    A    54.239.25.192

;; AUTHORITY SECTION:
www.amazon.com.        1800    IN    NS    ns-1019.awsdns-63.net.
www.amazon.com.        1800    IN    NS    ns-1178.awsdns-19.org.
www.amazon.com.        1800    IN    NS    ns-1568.awsdns-04.co.uk.
…

;; Query time: 7 msec
;; SERVER: 205.251.195.251#53(205.251.195.251)
;; WHEN: Fri Oct 21 21:50:00 2016
;; MSG SIZE rcvd: 186

The following line shows that ns-576.awsdns-08.net is an authoritative name server for amazon.com:

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

The presence of the aa flag indicates that the name server ns-1019.awsdns-63.net gave us an authoritative answer for the resource record www.amazon.com.

Troubleshoot DNS failures on Windows-based operating systems

Use the nslookup utility to return the IP address associated with a host name, as shown in the following example:

C:\>nslookup www.amazon.com
Server:     ip-10-20-0-2.ec2.internal
Address:    10.20.0.2

Non-authoritative answer:
Name:       www.amazon.com
Address:    54.239.25.192

To determine the authoritative name servers for a host name using the nslookup utility, use the -type=NS flag:

C:\>nslookup -type=NS www.amazon.com
Server:     ip-10-20-0-2.ec2.internal
Address:    10.20.0.2

Non-authoritative answer:
www.amazon.com    nameserver = ns-277.awsdns-34.com
www.amazon.com    nameserver = ns-1019.awsdns-63.net
www.amazon.com    nameserver = ns-1178.awsdns-19.org
…

To see if ns-277.awsdns-34.com for www.amazon.com responds correctly to a request for www.amazon.com, use the following syntax:

C:\>nslookup www.amazon.com ns-277.awsdns-34.com
Server:     UnKnown
Address:    205.251.193.21

Name:       www.amazon.com
Address:    54.239.25.200