By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Route53 Alias not resolving to cloud front distribution

0

Hi,

We have been trying to setup our cloud-front distribution to work with a backend origin. The distribution is setup fine but the alternate domain name attached to the distribution is not getting resolved. Here is the sequence of steps followed.

  1. Create a cloud front distribution - Configure the backend origin, cache behaviors, etc.
  2. Update the cloud front distribution - A custom SSL certificate (not from AWS) is imported into the ACM and attached to the distribution and the same has been used as the alternate domain name for the distribution i.e., the alternate domain name is "myapi-demo.example.com" and my SSL certificate has the SAN entry for the same
  3. Create an ALIAS record under "example.com" hosted zone in R53

#3 is not working and tried the following options:

  • Created a CNAME as some old articles say to use CNAME. Didn't work
  • Created an ALIAS record. Didn't work
  • Created a new hosted zone in R53 for "myapi-demo.example.com" and added ALIAS record. Didn't work.
  • Created a new hosted zone in R53 for "myapi-demo.example.com" and tried creating a CNAME. Didn't work - failed with error "RRSet of type CNAME with DNS name myapi-demo.example.com. is not permitted at apex in zone "

Record name - "myapi-demo.example.com" Record value - "d3hui35xh0ym6w.cloudfront.net" Type - [CNAME] [ALIAS]

  • AWS-User-0357409
    a year ago

    Just to confirm, the root of the issue is that the DNS record is not resolving at all, not that it is communication with the Cloudfront backend/origin?

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon CloudFrontAmazon Route 53AWS Certificate Manager
Language
English
rePost-User-6797672
asked a year ago304 views
5 Answers
1

It appears that you are following the correct process with respect to using Route 53 for DNS resolution of CloudFront distributions, and I would specifically highlight that using a Route 53 Alias record is the recommended path as it'll allow you to create an alias at the zone apex (root) level as well as for subdomains in Route 53.

It seems you have done due diligence with your configuration and I would recommend some additional testing (below) if not done already. Alternatively, if this solution is still not functional, I would recommend creating a ticket with AWS Support to investigate further.

  1. Are you able to access the CloudFront distribution directly using the DNS name assigned to the distribution itself? Are you provided the correct certificate?
  2. Have you confirmed that Route 53 is the authoritative name service for the domain you are configuring the alias record within?
  3. Have you any configured health checks on the alias record that may be failing (and causing an issue with DNS resolution)?
  4. After you created the Alias record in Route 53, what value is returned when you query (nslookup) against this domain name from your local computer?

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-cloudfront-distribution.html

profile pictureAWS
Darren R
answered a year ago
1

It sounds like the "example.com" domain may be split, that is, internal (on-premises) DNS may be authoritative for the domain on your local network, while Route 53 may be authoritative for the domain on the public Internet. And if you're connected to your local on-premises network (either directly or via VPN), you may be picking up the DNS servers there. Assuming this domain is split between on-premises and Route 53, it would make sense to see SOA and NS records in both locations as neither are aware of the other.

I would recommend double-checking that your "example.com" is in fact being served by Route 53, and you can use a whois tool such as https://whois.domaintools.com/ to verify that. What you should see here is an SOA and NS records that point to AWS' authoritative name servers (https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/migrate-dns-domain-in-use.html). I would also point out that technically Route 53 doesn't need to have the "example.com" domain registered to be authoritative for this domain's DNS function, and it is possible to leave this domain at your current registrar while delegating DNS functionality to Route 53.

Hopefully this is helpful, and would be interested in feedback on what you discover in your testing!

profile pictureAWS
Darren R
answered a year ago
0

We have the setup working finally. The following is what we did in addition to the previous steps.

  1. We re-imported the certificate for the CNAME with the whole certificate chain root -> intermediate -> domain.
  2. On the on-premise name servers, created a CNAME (ALIAS) pointing to the distribution followed by cloudfront-update.

The exact step that made this working seems to be the creation of CNAME record on the on-premises name servers. As Darren mentioned, it looks like the name servers residing on-premise are the authoritative ones for our domain and R53 is used for delegation purposes.

rePost-User-6797672
answered a year ago
  • Darren R
    a year ago

    AWSome! Glad to hear you were able to get it working.

0

Darren, Thank you for your quick response.

  1. Are you able to access the CloudFront distribution directly using the DNS name assigned to the distribution itself? Are you provided the correct certificate?

Yes. The distribution is directly accessible and my request is going to the origin. We are also suspecting certificate issue, so asking our internal team to give us a new CA

  1. Have you confirmed that Route 53 is the authoritative name service for the domain you are configuring the alias record within?

This is the part we are digging deeper along with the SSL certificate. More on this below.

  1. Have you any configured health checks on the alias record that may be failing (and causing an issue with DNS resolution)?

No. When I created the ALIAS manually, the health check is by default disabled.

  1. After you created the Alias record in Route 53, what value is returned when you query (nslookup) against this domain name from your local computer?

The name resolution is not happening and dns queries using various options & tools - nslookup, dig, host, etc are giving me NXDOMAIN

Expanding #2, one thing I did notice is that the SOA & NS records for the domain "example.com" via nslookup resolves to few of our onprem servers and in R53 as well I see NS records for "example.com" (Not sure if an old team member did this) but nslookup on "example.com" never gives me the servers from AWS - .awsdns-xx.. As a next stop I was thinking of adding the ALIAS record in "onprem" name servers......I'll be damned if that works.

And if it works, my follow up question would be, is the above setup valid? How come someone have SOA & NS records in 2 places - onprem and in R53. How does that work? What am I missing here. If its about primary and secondary name servers and assuming onprem is the primary name server, why is it also not checking with the secondary name servers on R53.

Regards

rePost-User-6797672
answered a year ago
0

This probably isn't it, but I'll mention it in case - you have to use ACM in us-east-1. I can't remember what happens if you don't.

EXPERT
skinsman
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content