-1

Our company recently updated our DNS settings so they could be managed in AWS Route53 via Terraform instead of manually managed in Google Domains. We have a site that sits on example.com as well as two more sites that sit on stage.plus.example.com and plus.example.com.

example.com and plus.example.com work fine but stage.plus.example.com has intermittent issues with DNS resolving and the NXDOMAIN error being returned. This seems to depend which DNS resolver server you use but OpenDNS has persistent issues and Google has intermittent issues resolving for example. The setup of the DNS is something like:

  • Google Domains is our registrar
    • The nameservers for this are setup to go to a AWS Route53 hosted zone in AWS account 1 (HZ1)
  • The HZ1 has an NS record for plus.example.com pointing to a hosted zone in AWS account 2 (HZ2)
  • The HZ1 has an NS record for stage.plus.example.com pointing to a hosted zone in AWS account 3 (HZ3)
  • HZ2 has an A record to a load balancer in the same AWS account
  • HZ3 has an A record to a load balancer in the same AWS account

Using dig +trace ... @208.67.222.220 (OpenDNS servers) for both the plus.example.com and stage.plus.example.com seem return similar results with the A records showing in both.

However without the +trace option then the stage.plus.example.com is not found.

I've been banging my head against this problem for a while now to no avail so any help would be much appreciated!

rob1256
  • 1
  • 1
    Without the real names noone can help you so you should ask your DNS provider and registrar for guidance or use yourself online troubleshooting tools like DNSViz. "This seems to depend which DNS resolver server you use but OpenDNS has persistent issues and Google has intermittent issues resolving for example. " This is usually and among other things either a DNSSEC problem, a connectivity problem (TCP blocked and such), a lame delegation setup, wrong glues, etc. – Patrick Mevzek Mar 21 '23 at 15:16
  • If you delegated `plus.example.com` to HZ2, put your NS record for `stage.plus.example.com` in HZ2. – ceejayoz Mar 21 '23 at 15:21

1 Answers1

0

In case anyone has similar issues in the future, we ended up moving all of our records into one hosted zone which fixed the issue immediately. I believe it was because in hosted zone 3 (HZ3) the hosted zone itself was named example.com but the A record within it was called stage.plus.example.com.

This was fine for a lot of DNS resolvers, but some did extra validation (I think) on the SOA record that Route53 automatically adds. The SOA record was for example.com and for some reason it didn't like that against stage.plus.example.com but was find again plus.example.com.

Again not 100% sure why but https://dnsviz.net/ was helpful in identifying it could be that.

rob1256
  • 1