Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I determine whether my DNS queries to the Amazon DNS server fail because of VPC DNS throttling?

4 minute read

I want to know why my DNS queries to the Amazon DNS server fail or time out in my Amazon Virtual Private Cloud (Amazon VPC).

Short description

The Amazon DNS quota is 1,024 packets per second (PPS) for each elastic network interface. If you exceed the quota, then Amazon Route 53 rejects the traffic.

VPC Flow Logs doesn't capture the traffic that applications send to Amazon DNS servers. To identify the cause of DNS query failures, use packet captures or Traffic Mirroring.

Note: Route 53 query logs capture only the traffic that reaches the VPC.2 resolver AmazonProvidedDNS. Throttled DNS queries don't appear in query logs because the queries throttle at the network interface level.

Resolution

Determine the source of the DNS query failures

Use tcpdump (Linux only)

To use tcpdump, complete the following steps:

Run the following command on your Amazon Elastic Compute Cloud (Amazon EC2) instance:

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
INSTANCE_ID=`curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id`
sudo tcpdump -i eth0 -s 350 -C 100 -W 20 -w /var/tmp/$INSTANCE_ID.$(date +%Y-%m-%d:%H:%M:%S).pcap

Note: The preceding command captures the initial 350 bytes of the packet, saves 20 files of 100 MB each, and overwrites the old packet captures. If your primary network interface isn't eth0, then replace eth0 in the preceding command with your primary network interface. To find your primary interface, run the following command:

netstat -i

Run the following command to count the number of sent DNS queries:

tcpdump  -r <file_name.pcap> -nn dst port 53 | awk -F " " '{ print $1 }' | cut -d"." -f1 | uniq -c

Use Traffic Mirroring

If you can't use tcpdump, then use Traffic Mirroring to identify whether DNS queries are throttling.

Note: Traffic Mirroring is available for Nitro-based instances and certain non-Nitro instance types. Traffic Mirroring charges apply.

To capture and analyze traffic data, complete the following steps:

Complete the Traffic Mirroring prerequisites.
Create a traffic mirror target. Confirm that the target network interface or Network Load Balancer allows inbound traffic on port UDP 4789.
Create a traffic mirror filter. For Filter settings, confirm that amazon-dns is turned on for Network services - optional.
Create a traffic mirror session.

Traffic Mirroring gathers mirrored traffic and stores it on the traffic mirror target.

Note: Traffic Mirroring is a live stream of data. To capture the mirrored packets on the target and save them in a .pcap file, capture traffic on UDP port 4789.

Use Wireshark

Complete the following steps:

Open the captured traffic in Wireshark
Note: To download Wireshark, see the Download page on the Wireshark website.
Choose the Statistics tab.
Select I/O Graph and clear all options.
Under Display Filter, use the VXLAN Network Identifier and the DNS query to add a filter. The QR field in the DNS header is 0. For example, if the VXLAN Network Identifier is 16777215, then the display filter for the graph is (vxlan.vni == 16777215) && (dns.flags.response == 0).
Review the graph. If it remains at about 1024 PPS, then throttling is occurring on the mirrored source.

Check the ENA driver network performance metric

If the EC2 instance is running one of the following Elastic Network Adapter (ENA) driver versions, then check the real-time metrics for DNS throttling:

Linux: 2.2.10 or later
Window: 2.2.2.0 or later

Check the linklocal_allowance_exceeded metric to determine the number of dropped packets because traffic exceeded the PPS quota for the following local services:

Amazon VPC DNS Service
Instance Metadata Service (IMDS)
Amazon Time Sync Service

Check the metric at multiple intervals to determine whether the count is increasing. The linklocal_allowance_exceeded metric is cumulative from the last driver restart because of a stop and start or reboot. There's an issue only when the metric is increasing.

To get the linklocal_allowance_exceeded value, run the following command for eth0:

ethtool -S eth0 | grep link

For instances with the interface named ens5:

ethtool -S ens5 | grep link

Resolve DNS throttling issues

If DNS throttling is causing the failures, then take one of the following actions to resolve the issue:

Activate DNS caching on the instance.
Increase the DNS retry timer on the application.

Related information

Understand traffic mirror target concepts

Work with Traffic Mirroring to copy network traffic

Topics

Networking & Content Delivery

Relevant content

Windows Ec2 Instance often Doing DNS query with Public DNS Resolver.
rePost-User-0019187
asked 2 years ago
Is there any default throttling of incoming and outgoing requests on specific Elastic IP and DNS query/IP Address?
Om
asked 7 months ago
DNS Lookup Fail with Amazon DNS Server
josterholt
asked 6 years ago
DNS query failed argotunnel in IPv6
James
asked 7 months ago
Default Lambda VPC - DNS Resolving fails for dynamodb.us-east-1.amazonaws.com
Guy
asked 2 years ago
How can I determine if my public DNS resolver supports the EDNS Client Subnet (ECS) extension?
AWS OFFICIALUpdated 2 years ago
How can I troubleshoot reverse DNS issues with Route 53 rules and outbound endpoints?
AWS OFFICIALUpdated 2 years ago
How does DNS work, and how do I troubleshoot partial or intermittent DNS failures?
AWS OFFICIALUpdated 9 months ago
Why aren't my DNS queries forwarded to the DNS servers set on my Client VPN endpoint?
AWS OFFICIALUpdated 2 years ago
Automate migrations of Amazon Route53 hosted zones between AWS accounts
EXPERT
Edoardo Tagliareni
published 7 months ago