Why is my application or website hosted on Route 53 unreachable?

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Check for domain status issues

1.    Use the following command to check the domain status:

whois domain_name |grep 'status'

If the domain status (Extensible Provisioning Protocol code) is "inactive" or "ServerHold" or "ClientHold", the domain won't resolve.

2.    If your see an unusual domain status code, including "inactive" or "ServerHold" or "ClientHold", contact your registrar.

Use the following command to determine the domain registrar:

whois domain_name |grep 'Registrar'

Query your preferred Whois utility (domain registration lookup tool) for generic or country-specify top-level domains (TLDs).

Check for name server issues

1.    Confirm that the authoritative name server is correctly configured at your registrar. To find the authoritative name servers, check the authoritative_nameserver value in the name server (NS) resource record set of the public hosted zone.

2.    If you're using Route 53 as your DNS service provider, be sure that you correctly configured each of the four name servers.

Use the following command to check the name server configuration:

whois domain_name |grep 'Name Server'

For example, the output for whois amazon.com |grep 'Name Server' is:

Name Server: NS1.P31.DYNECT.NET
Name Server: NS2.P31.DYNECT.NET
Name Server: NS3.P31.DYNECT.NET
Name Server: NS4.P31.DYNECT.NET
Name Server: PDNS1.ULTRADNS.NET
Name Server: PDNS6.ULTRADNS.CO.UK

Check for record set issues

Use the following command to check if you've created the required alias (A) record in the hosted zone with the DNS service provider:

dig Domain_name record_type

For example, the output for $dig amazon.com A is:

; <<>> DiG 9.10.6 <<>> amazon.com +question
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29804
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;amazon.com.            IN    A

;; ANSWER SECTION:
amazon.com.        44    IN    A    54.239.28.85
amazon.com.        44    IN    A    205.251.242.103
amazon.com.        44    IN    A    176.32.103.205

;; Query time: 4 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Mar 19 20:28:51 IST 2021
;; MSG SIZE  rcvd: 87

Note: The record type is listed in the Type column of the corresponding resource record set. For more information, see Supported DNS record types.

Check for source issues

For local browsers or mobile devices:

• Clear your browser cache and then try to access the domain.
• Check whether you're requesting the correct domain. Mobile device browsers might append "www" when requesting the domain.

For an on-premises machine connected to an Amazon Virtual Private Cloud (Amazon VPC) or AWS resource using VPC .2 Resolver:

If you have private and public hosted zones with overlapping namespaces, such as "example.com" and "accounting.example.com", then Resolver routes traffic based on the most specific match. If there's a matching private hosted zone but no record that matches the domain name and type in the request, then Resolver doesn't forward the request to a public DNS resolver. Instead, it returns an NXDOMAIN (non-existent domain) error to the client. If you unintentionally created a private hosted zone with overlapping namespaces, you can delete the private hosted zone.

Check for record caching issues

1.    Use the following command to check if the record value returned from the DNS resolver matches the value returned from the authoritative name server. If the domain isn't resolving to the expected IP address, the DNS resolver might have cached the value. Clear your browser cache if the domain is resolving to an unexpected IP address.

dig domain_name record_type @authorative_name_server

For example, the output for $dig amazon.com @NS1.P31.DYNECT.NET is:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.64.amzn1 <<>> amazon.com @NS1.P31.DYNECT.NET
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63711
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;amazon.com.            IN    A

;; ANSWER SECTION:
amazon.com.        60    IN    A    205.251.242.103
amazon.com.        60    IN    A    54.239.28.85
amazon.com.        60    IN    A    176.32.103.205

;; Query time: 2 msec
;; SERVER: 208.78.70.31#53(208.78.70.31) 
;; WHEN: Fri Mar 19 15:08:52 2021
;; MSG SIZE  rcvd: 76

2.    Use the following command to check if you're seeing the same results with the public resolver. If the public resolver is returning the expected answer, the issue is likely with the DNS resolver on the local machine.

dig domain @public_resolver_Ip

For example, the output for $dig amazon.com @8.8.8.8 is:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.64.amzn1 <<>> amazon.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26860
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;amazon.com.            IN    A

;; ANSWER SECTION:
amazon.com.        15    IN    A    205.251.242.103
amazon.com.        15    IN    A    54.239.28.85
amazon.com.        15    IN    A    176.32.103.205

;; Query time: 1 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Mar 19 15:09:41 2021
;; MSG SIZE  rcvd: 76

Check for DNSSEC issues

Confirm that you've correctly configured DNSSEC for your domain. Use the DNSSEC analyzer tool or your preferred utility to see if there are DNSSEC issues with the domain.

Pass the DNSSEC and see if you're getting expected results:

dig domain_name +cd

For example, the output for $ dig amazon.com +cd is:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.64.amzn1 <<>> amazon.com +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55636
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;amazon.com.            IN    A

;; ANSWER SECTION:
amazon.com.        29    IN    A    205.251.242.103
amazon.com.        29    IN    A    176.32.103.205
amazon.com.        29    IN    A    54.239.28.85

;; Query time: 2 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Mar 19 15:10:13 2021
;; MSG SIZE  rcvd: 76

Check for webserver issues

If you're seeing the expected IP address for the domain in curl command output, check if you're getting the Expected HTTP response from the server:

• 1XX (Informational)
• 2XX (Successful)
• 3XX (Redirection)
• 4XX (Client Error)
• 5XX (Server Error)

If the DNS resolution is working as expected but the server isn't responding, the issue is with the web server where the website or application is hosted.

Command:

curl -Iv http://domain_name:Port/Path

For example, the output for $ curl -Iv http://amazon.com:80 is:

* Rebuilt URL to: http://amazon.com:80/
*   Trying 176.32.103.205...   <--- Indicates no issues with the DNS resolution as we are getting expected IP address for the domain amazon.com.
* TCP_NODELAY set
* Connected to amazon.com (176.32.103.205) port 80 (#0)
> HEAD / HTTP/1.1
> Host: amazon.com
> User-Agent: curl/7.61.1
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: Server
Server: Server
< Date: Fri, 19 Mar 2021 15:11:18 GMT
Date: Fri, 19 Mar 2021 15:11:18 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 179
Content-Length: 179
< Connection: keep-alive
Connection: keep-alive
< Location: https://amazon.com/
Location: https://amazon.com/

< 
* Connection #0 to host amazon.com left intact

Note: The Port value is the web server port on which the website or application is configured to listen.