Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I troubleshoot issues with hosted zones in Route 53 that have the same domain names in different AWS accounts?

5 minute read
0

I want to troubleshoot multiple hosted zones that share the same domain name in Amazon Route 53 across different AWS accounts.

Short description

To troubleshoot issues with multiple hosted zones that share the same domain name, verify the following for each account:

  • For public hosted zones, check the correct name server delegation.
  • For private hosted zones, confirm the Amazon Virtual Private Cloud (Amazon VPC) association and DNS resolution.

Resolution

Check the correct name server delegation

To check that you use the correct name servers, update the name servers in either or both accounts in the registrar.

If you update the domain's name servers in Account A but not the name servers in Account B, then you get the following dig output:

  • Example dig output for Account A with a NOERROR status:

    # dig test1.101.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test1.101.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38973
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test1.101.example.com.    IN   A

;; ANSWER SECTION:
test1.101.example.com. 300    IN   A      8.8.8.8

  • Example dig output for Account B a NXDOMAIN status:

    dig test2.101.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test2.101.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34489

When you create a public hosted zone, Route 53 will automatically assign four unique name servers:

  • ns-1701.awsdns-20.co.uk
  • ns-487.awsdns-60.com
  • ns-1410.awsdns-48.org
  • ns-867.awsdns-44.net

There's also a simple Type A record with the following details:

Record nameTypeRouting policyDifferentiatorValue/Route traffic to
test1.101.example.comASimple-8.8.8.8

If Account B has a hosted zone with the same domain name as Account A, then Route 53 automatically assigns these four name servers:

  • ns-869.awsdns-44.net
  • ns-1332.awsdns-38.org
  • ns-61.awsdns-07.com
  • ns-1707.awsdns-21.co.uk

The hosted zone also has a simple Type A record with following details:

Record nameTypeRouting policyDifferentiatorValue/Route traffic to
test2.101.example.comASimple-8.8.8.8

Confirm the VPC association and DNS resolutions

If you have the same domain name in two accounts, then check the private hosted zone configuration. Then, verify both the Amazon VPC association and DNS resolution within the Amazon VPC. To view DNS support attributes, see View and update DNS attributes for your VPC.

If you have a private hosted zone (example.com) in Account A that's associated with an Amazon VPC, then the private hosted zone has a simple Type A record.

Example:

Record nameTypeRouting policyDifferentiatorValue/Route traffic to
example.comNSSimple-ns-1536.awsdns-00.co.uk. / ns-0.awsdns-00.com. / ns-1024.awsdns-00.org. / ns-512.awsdns-00.net. /
example.comSOASimple-ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
test1.example.comASimple-1.1.1.1

Run the dig command from an Amazon Elastic Compute Cloud (Amazon EC2) instance in Account A's Amazon VPC:

# dig test1.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test1.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45251
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test1.example.com.    IN   A

;; ANSWER SECTION:
test1.example.com.    60   IN   A   1.1.1.1

Then, verify you receive a NOERROR status in the response.

Cross-account VPC association limitations

A VPC from one account can't associate with multiple private hosted zones that share the same domain name. This applies across all accounts.

Account B can have a private hosted zone with the same domain name (example.com) associated with a different VPC. In this example, the hosted zone has a Type A record.

Example:

Record nameTypeRouting policyDifferentiatorValue/Route traffic to
example.comNSSimple-ns-1536.awsdns-00.co.uk. / ns-0.awsdns-00.com. / ns-1024.awsdns-00.org. / ns-512.awsdns-00.net. /
example.comSOASimple-ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
test2.example.comASimple-2.2.2.2

Example dig output of an instance's resource record in the VPC of Account B:

# dig test2.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test2.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5377
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test2.example.com.    IN   A

;; ANSWER SECTION:
test2.example.com.    60   IN   A   2.2.2.2

Related information

How to centralize DNS management in a multi-account environment

Topics
Networking & Content Delivery
Tags
Amazon Route 53
Language
English
AWS OFFICIALUpdated 5 months ago
No comments

Relevant content