I can't resolve an Amazon Route 53 private hosted zone record with my Amazon Elastic Compute Cloud (Amazon EC2) instance.
Short description
Linux OS distributions that use the systemd-resolved service handle DNS queries with a stub resolver. The stub resolver IP address is located in /etc/resolv.conf. The local DNS stub listener doesn't forward DNS requests for domain names with the ".local" suffix. The DNS request fails with the response code "ServFail", similar to the following output:
### failed ###ubuntu@ip-172-31-2-3:~$ dig example.local.
; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> example.local.
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29563 ### status: SERVFAIL ###
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;example.local. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ### 127.0.0.53 is systemd-resolved ###
;; WHEN: Thu Jun 30 12:34:56 UTC 2022
;; MSG SIZE rcvd: 42
### success ###
ubuntu@ip-172-31-2-3:~$ dig example.local. @172.31.0.2 ### dig to @172.31.0.2 AmazonProvidedDNS / Route 53 Resolver ###
; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> example.local. @172.31.0.2
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29352 ### status: NOERROR ###
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.local. IN A
;; ANSWER SECTION:
example.local. 300 IN A 192.0.2.1
;; Query time: 4 msec
;; SERVER: 172.31.0.2#53(172.31.0.2) (UDP) ### 172.31.0.2 is AmazonProvidedDNS / Route 53 Resolver ###
;; WHEN: Thu Jun 30 12:34:56 UTC 2022
;; MSG SIZE rcvd: 58
Resolution
To resolve a domain name with the ".local" suffix, use the external resolver instead of the local DNS stub listener.
Note: It's a best practice to not use the domain name ".local" suffix. RFC 6762 reserves this domain name for exclusive Multicast DNS use. For more information, see Multicast DNS on the Internet Engineering Task Force (IETF) website.
-
Change the DNS resolver from the local DNS stub listener to external DNS resolver (AmazonProvidedDNS).
cd /etc/sudo ln -sf ../run/systemd/resolve/resolv.conf
-
Change .conf to stop the local DNS stub listener.
cd /etc/systemd/sudo cp -ip resolved.conf resolved.conf.org
sudo sed -i -e 's/#DNSStubListener=yes/DNSStubListener=no/' resolved.conf
-
Restart systemd-resolved.
sudo systemctl restart systemd-resolved
Related information
Best practices for Amazon Route 53 DNS
How can I troubleshoot DNS resolution issues with my Route 53 private hosted zone?