How do I troubleshoot DNS resolution issues with Route 53 Resolver endpoints?
4 minute read
I can't resolve DNS records using an inbound or outbound endpoint in Amazon Route 53.
Troubleshoot inbound endpoints
Complete the following steps to be sure that DNS resolvers on your network can forward DNS queries to Route 53 Resolver using your inbound endpoint:
If your on-premises DNS server must forward DNS queries to the inbound endpoint for your domains, then create a conditional forwarding rule. The conditional forwarding rule must be created on your on-premises DNS server. This configuration applies to private hosted zones and public domains.
Confirm that you have connectivity to the inbound resolver endpoint IP addresses over the AWS Direct Connect connection or VPN. This step validates whether you can reach the inbound resolver endpoint IP address from your on-premises network. Use the following telnet command to test connectivity between the inbound endpoint resolver IP address on port 53: telnet <inbound endpoint resolver IP address> 53.
Check the security group associated with the inbound resolver endpoint. The security group must allow traffic on TCP and UDP port 53 from your on-premises DNS server IP address.
Confirm that custom network access control lists (network ACLs) used with the subnet where the inbound endpoint was created allow the following:
Inbound UPD and TCP traffic from the on-premises DNS server on port 53.
Outbound UDP and TCP traffic to the on-premises DNS server on destination port range 1024-65535.
Confirm that the route table associated with the subnet where the inbound endpoint resolver was created includes a route to the on-premises network. You can configure the route through a Direct Connect connection or VPN. This route allows the inbound endpoint resolver to return a DNS query response.
To validate the domain resolution, complete a domain name lookup from the on-premises DNS server or localhost.
For Windows: nslookup <private hosted zone domain name>
For Linux or macOS: dig <private hosted zone domain name>
If the previous commands fail to return a record, then you can bypass your on-premises DNS server. Send the DNS query directly to the inbound resolver endpoint IP address using the following commands.
For Windows: nslookup <private hosted zone domain name> @ <inbound endpoint IP address>
For Linux or macOS: dig <private hosted zone domain name> @ <inbound endpoint IP address>
Confirm that your on-premises DNS server sends only recursive queries. Route 53 inbound resolver doesn't support iterative queries.
If you're resolving in a private hosted zone, then confirm that your inbound resolver endpoints and private hosted zone are associated with the correct VPC.
Troubleshoot outbound endpoints
Complete the following steps to be sure that Route 53 Resolver conditionally forwards queries to resolvers on your network using your outbound endpoint:
Confirm that you're using an Amazon provided DNS. Custom DNS servers on instances in your VPC must route private DNS queries to the IP address of the Amazon-provided DNS servers of your VPC. The Amazon-provided DNS servers IP address is the IP address at the base of the VPC network range plus two.
Confirm the egress rule of the security group associated with the outbound resolver endpoint. The egress rule must allow UDP and TCP port 53 traffic to the IP addresses of your on-premises DNS server.
Confirm that custom rules for network ACLs corresponding to the subnets where the outbound endpoint interfaces were created allow the following:
Outbound UDP and TCP traffic to the on-premises DNS server on port 53.
Inbound UDP and TCP traffic from the on-premises DNS server on ephemeral port range 1024-65535.
Confirm that the route table associated with the subnet of the outbound resolver endpoint has a route to your on-premises DNS server. The route can be configured through a Direct Connect connection or VPN.
Determine whether your on-premises DNS servers are protected by a firewall. If the servers are protected by a firewall, then confirm that the firewall allows traffic from the outbound resolver endpoint IP addresses.
Note that a Resolver rule that routes traffic to your network for the same domain name takes precedence over private hosted zones.