How can I troubleshoot reverse DNS issues with Route 53 rules and outbound endpoints?

5 minute read
0

I have a virtual private cloud (VPC) with an on-premises DNS server. I set up Amazon Route 53 Resolver reverse rules and outbound endpoints to resolve the reverse DNS queries from this server. However, they don't work as intended.

Resolution

Identify the expected and actual DNS responses

Use dig or nslookup to perform queries directly to the IP address of your on-premises DNS server. These tools try to resolve the correct record name.

To perform a reverse DNS resolution with dig, use the -x parameter. When you use this parameter, dig automatically adds the name, class, and type arguments. Refer to the QUESTION SECTION to check that dig automatically queried the correct name, class, and record type.

For example, you want to resolve the IP address 172.31.2.23 with the following values:

Name: 23.2.31.172.in-addr.arpa.
Class: IN
Record type: PTR

In this example, the command dig -x 172.31.2.23 returns the following output:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.2 <<>> -x 172.31.2.23;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58812
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; 
OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;23.2.31.172.in-addr.arpa.    IN    PTR

;; 
ANSWER SECTION:
23.2.31.172.in-addr.arpa. 60    IN    PTR    example.com.

For nslookup, the command nslookup 172.31.2.23 returns the following output:

23.2.31.172.in-addr.arpa.   name = example.com.

Note: An unexpected response code might not indicate an issue with the rule or endpoint configuration:

  • NXDOMAIN might be an unexpected but valid DNS response. This response indicates that the queried server doesn't contain the requested record.
  • SERVFAIL indicates that there's a timeout or other issue on the path of the query. This response requires further investigation.
  • An unexpected answer in the ANSWER SECTION might indicate that you used a different rule.

Determine if the query arrives at the VPC DNS resolver

For a query to match a rule on a VPC, the query must arrive at the VPC DNS resolver. Check the VPC settings to confirm that you activated DNS Support.
To check the resolver IP address, refer to the server fields in dig or nslookup:

dig

;; SERVER: 172.16.0.2#53(172.16.0.2)

nslookup

Server:        172.16.0.2

Note: For VPCs, the VPC DNS is the VPC CIDR plus two. In these examples, the IP address for a VPC is 171.16.0.2.

Find the most specific rule that's being matched

When the query arrives at the VPC DNS resolver, it must match a rule on that VPC. When rules are evaluated, the most specific rule is matched. To find this rule, complete the following steps:

  1. Identify any autodefined rules on the VPC and connected VPCs. For peered VPCs or VPCs that connect through a transit gateway (with DNS support), note all rules for the reverse resolution of each connected CIDR.
    Note: The resolver creates these autodefined rules when DNS Hostnames is set to true. If you want to override an autodefined rule, then create a conditional forwarding rule for the same domain name. You can also deactivate the autodefined rules.
  2. If you turned on DNSSupport and DNSHostnames, then note any private hosted zones that are associated to the VPC.
    Note: If the resolver forwarder rule and private hosted zone are overlapping, then the resolver rule takes precedence. In this case, the query forwards to the on-premises server.
  3. To determine which rule is selected and where the query goes, compare your list of rules and associated private hosted zones against the query.

Troubleshoot your outbound endpoints

To troubleshoot your outbound endpoints, confirm the following configurations:

  • Your outbound endpoints must send the query to the target IP addresses that the rule specifies. Make sure that the resolver rule has the correct IP of the on-premises DNS server.
  • The outbound endpoints' security group must allow outbound TCP and UDP traffic to the IP addresses and ports of the on-premises DNS server.
  • The access control lists (ACLs) must allow TCP and UDP traffic to the IP addresses and ports of the on-premises DNS server. The ACLs must also allow traffic to the ephemeral ports (1024-65535).
  • The outbound endpoints' subnet route table must have a route for the on-premises server's IP addresses to the VPN or AWS Direct Connect connection.

For more information and troubleshooting steps, see How do I troubleshoot DNS resolution issues with Route 53 Resolver endpoints?

Check if the outbound endpoints can send the query over the connection specified in its route table

Verify that the VPN or Direct Connect connection allows communication. To do this, run a dig or nslookup command directly to the IP address of the on-premises DNS resolver. To further troubleshoot connection issues, send a ping to an on-premises host that allows internet control message protocol (ICMP).

Note: You must perform this test from an EC2 instance that's in the same subnet as the outbound endpoints.

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago