DNS Nameserver delegation not working in route53

rob1256

3/21/24, 3:13 PM

Our company recently updated our DNS settings so they could be managed in AWS Route53 via Terraform instead of manually managed in Google Domains. We have a site that sits on example.com as well as two more sites that sit on stage.plus.example.com and plus.example.com.

example.com and plus.example.com work fine but stage.plus.example.com has intermittent issues with DNS resolving and the NXDOMAIN error being returned. This seems to depend which DNS resolver server you use but OpenDNS has persistent issues and Google has intermittent issues resolving for example. The setup of the DNS is something like:

Google Domains is our registrar
- The nameservers for this are setup to go to a AWS Route53 hosted zone in AWS account 1 (HZ1)
The HZ1 has an NS record for plus.example.com pointing to a hosted zone in AWS account 2 (HZ2)
The HZ1 has an NS record for stage.plus.example.com pointing to a hosted zone in AWS account 3 (HZ3)
HZ2 has an A record to a load balancer in the same AWS account
HZ3 has an A record to a load balancer in the same AWS account

Using dig +trace ... @208.67.222.220 (OpenDNS servers) for both the plus.example.com and stage.plus.example.com seem return similar results with the A records showing in both.

However without the +trace option then the stage.plus.example.com is not found.

I've been banging my head against this problem for a while now to no avail so any help would be much appreciated!

162

1 + 2

domain-name-system

dns-zone

Patrick Mevzek

3/21/24, 3:16 PM

Without the real names noone can help you so you should ask your DNS provider and registrar for guidance or use yourself online troubleshooting tools like DNSViz. "This seems to depend which DNS resolver server you use but OpenDNS has persistent issues and Google has intermittent issues resolving for example. " This is usually and among other things either a DNSSEC problem, a connectivity problem (TCP blocked and such), a lame delegation setup, wrong glues, etc.

ceejayoz

3/21/24, 3:21 PM

If you delegated `plus.example.com` to HZ2, put your NS record for `stage.plus.example.com` in HZ2.

Score:0

Server

rob1256

3/22/24, 3:46 PM

In case anyone has similar issues in the future, we ended up moving all of our records into one hosted zone which fixed the issue immediately. I believe it was because in hosted zone 3 (HZ3) the hosted zone itself was named example.com but the A record within it was called stage.plus.example.com.

This was fine for a lot of DNS resolvers, but some did extra validation (I think) on the SOA record that Route53 automatically adds. The SOA record was for example.com and for some reason it didn't like that against stage.plus.example.com but was find again plus.example.com.

Again not 100% sure why but https://dnsviz.net/ was helpful in identifying it could be that.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: DNS Nameserver delegation not working in route53

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.