Unable to resolve a DNS in AWS ECS Fargate

Hi,

Standard DNS traffic is on port 53. Most often it works on UDP but in rare occasions, it can be TCP as well.

So, check that the security groups (plural because it can be at individual task level, at cluster or at VPC level) related to your container all allow outbound trafic on port 53 for UDP and TCP.

Best,

Didier

Hi,

It looks like issue with DNS, to test it create another ECS Task and use another DNS. Keep checking the cloud watch log and cloud trail.

Thanks

Do you have any route53 firewalls setup? This could be blocking the domain

The issue you're experiencing with DNS resolution in AWS ECS Fargate for a specific domain while others work correctly could be due to several factors. Here are some potential reasons and solutions to consider:

1. DNS Configuration: Ensure that your ECS Fargate task is using the correct DNS server. By default, it should be using AmazonProvidedDNS. If you're using custom domain name servers in your VPC instead of AmazonProvidedDNS, this could cause resolution issues for certain domains.

2. VPC DNS Settings: Check if the VPC DNS Hostnames option is enabled. If it's turned off, this can lead to DNS resolution problems.

3. Network Configuration: Since you mentioned the task is in a public subnet, verify that the task has a public IP address assigned and is properly connected to an Internet Gateway (IGW). This is necessary for outbound internet access, which is required for DNS resolution of public domains.

4. Security Groups and NACLs: Review your security group rules and network ACLs to ensure they're not blocking outbound DNS traffic (usually on port 53).

5. Route Configuration: Confirm that your VPC has the correct route table entries to allow traffic to flow to the internet via the IGW.

6. Task IAM Role: Ensure that the IAM role associated with your ECS task has the necessary permissions to make outbound connections.

7. Firewall or DNS Filtering: Check if there are any firewalls or DNS filtering mechanisms in place that might be blocking or interfering with requests to this specific domain.

Since replacing the hostname with the IP address works, it suggests that the issue is specifically related to DNS resolution rather than connectivity. This points towards a problem with either the DNS configuration or how the Fargate task is resolving DNS queries.

To troubleshoot further, you could try the following:

1. Use the AWS CLI or console to verify the VPC and subnet settings.
2. Check the ECS task definition and ensure it's configured to use the appropriate networking mode.
3. Try running a similar task on EC2 to see if the issue persists, which could help isolate whether it's specific to Fargate or a broader networking issue.

If the problem continues after checking these areas, you may need to contact AWS support for more in-depth troubleshooting of your specific environment configuration.
Sources
Troubleshoot ECS problems with an EFS filesystem DNS name | AWS re:Post
unable to access the api from ecs fargate. Do we need to use different ip address for ecs fargate | AWS re:Post
Troubleshoot connection to AWS service endpoints from Linux | AWS re:Post

Hi guys, I was able to fix it by adding the dhcp option set with Google DNS server. I am not sure why it is not resolved by Amazon DNS. Let me know your comments if there is any complications with these approch. Thanks for all the answers.

We've encountered a similar issue - unable to resolve the www.couriersplease.com.au host via the 10.0.0.2 default DNS resolver on an ECS Fargate instance. After hours of investigation, our only conclusion is that the ECS Fargate DNS resolver is broken in some way - perhaps it has negatively cached a missing record and is stuck.

Interestingly, we (very rarely) are able to resolve the domain via the default 10.0.0.2 resolver. But after a few seconds, it's broken again.

The domain is definitely resolvable from any other recursive resolver (eg, 1.1.1.1, 8.8.8.8) and dig +trace shows a valid, sensible lookup (both from within the ECS Fargate instance, and on local dev machines).

Another interesting note is that the default DNS resolver for our VPC (accessed via 10.0.0.2 on an EC2 instance within our VPC) works fine. So it's just a problem with the resolver for ECS Fargate. Or perhaps some of the resolvers within a cluster, to explain the intermittent failures.