How do I resolve Route 53 Resolver rule issues with DNS resolution in VPCs?

Resolution

Reassociate your Resolver rule

If you disassociate a Resolver rule from your VPC, then the Resolver no longer forwards DNS queries to the DNS resolvers. To resolve this issue, reassociate the rule with the VPC. To troubleshoot issues with a rule that you shared, see Sharing Resolver rules with other AWS accounts and using shared rules.

Note: You can associate Resolver rules only with VPCs in your account.

Troubleshoot your DNS resolution

Take the following actions:

• Verify that you activated DNS resolution and DNS hostnames for your VPC. For more information, see View and update DNS attributes for your VPC.
• Confirm that you associated the correct Amazon VPC ID with the private hosted zone.
• Check that you're querying resource records from within the same VPC. For more information, see How do I log a query for Amazon Route 53?
• Verify that you correctly configured forwarding rules for private hosted zones toward the Route 53 Resolver. See Viewing and editing forwarding rules.
• Make sure that you the namespaces of your private hosted zone domains and subdomains don't overlap. 

Troubleshoot Resolver rules

Take the following actions:

• Confirm that the Route 53 Resolver matches the specified rule when it's evaluating rules. For more information, see Values that you specify when you create or edit rules.
• Check whether there are auto-defined reverse DNS rules on your VPC, and override them.
• If you activated DNS resolution and DNS hostnames on your VPC, then confirm that the associated private hosted zones include your private hosted zone.
• Check whether you created multiple rules with the same domain that you associated with the VPC. When you apply more than one rule, the domain might not work. 

Note: If a Resolver forwarder rule and private hosted zone conflict, then the Resolver rule takes precedence.

Troubleshoot DNS forwarding rules

When you use DNS forwarding rules to resolve internal domains that you host on DNS servers in other accounts, you might get the "connection refused" error. The error can occur even when the security group and network access control list (network ACL) configurations appear correct.

To troubleshoot this issue, check the routing configurations and traffic flows between the outbound Resolver endpoint account and the account that hosts the DNS server.

For outbound endpoints, take the following actions:

• Confirm that the Resolver rule has the correct IP address of the on-premises DNS server.
• Make sure that the security group of the outbound endpoints allows outbound TCP and UDP traffic to the DNS server IP addresses and ports.
• Verify that the network ACLs allow TCP and UDP traffic to the DNS server IP addresses or ports and ephemeral ports (1024–65535).
• Check that the subnet route table of the outbound endpoints contains a route for the on-premises server IP addresses through the VPN or AWS Direct Connect connection.

For more information, see Managing outbound endpoints.

To test connectivity from an Amazon Elastic Compute Cloud (Amazon EC2) instance that's located in the same subnet as the outbound endpoints, take the following actions:

• Run dig or nslookup commands directly to the on-premises DNS resolver's IP address.
• Send a ping to an on-premises host that allows Internet Control Message Protocol (ICMP) to verify the connection.

Make sure that the source client sends queries to AmazonProvidedDNS rather than directly to the outbound endpoint. AmazonProvidedDNS then forwards queries through the outbound endpoint to the target IP addresses based on the Resolver rule configuration. For more information, see Public DNS query logging.

When you troubleshoot DNS responses, use dig or nslookup to perform queries directly to the on-premises DNS server IP address. Check the QUESTION SECTION to verify that the name, class, and record type are correct. Also, check for the NXDOMAIN response code that shows that no record exists or SERVFAIL that shows that there are timeout or path issues. 

Check whether your Route 53 Resolver profile overrides the VPC

When you associate a VPC with a resolver profile that has the default "." rule, the profile's rule takes precedence over the VPC's default recursive rule. However, the association status of Resolver rules in the VPC don't show as overridden. For more information, see How Route 53 Resolver endpoint forwards DNS queries from your VPCs to your network.

Resolve the SERVFAIL error for TLD domains such as .local

Route 53 handles certain top-level domains (TLDs), such as .local, as link-local domains. If you try to resolve domains that end in .local on a distribution system such as Ubuntu, then you might get a SERVFAIL error. To resolve this issue, reboot instances in your VPC with a new Dynamic Host Configuration Protocol (DHCP) option set.

Review query logs and VPC flow logs

Review your DNS queries and check for errors in Route 53 Resolver query logs. Also, review VPC flow logs and capture packets to identify blocked or dropped network traffic.

Related information

How do I configure a Route 53 Resolver outbound endpoint to resolve DNS records hosted on a remote network from resources in my VPC?

How do I configure a Route 53 Resolver inbound endpoint to resolve DNS records in my private hosted zone from my remote network?