0

Getting confusing results from a domain+zone both in AWS.

My domain has four nameservers:

ns-604.awsdns-11.net
ns-493.awsdns-61.com
ns-1032.awsdns-01.org
ns-1574.awsdns-04.co.uk

I have the following hosted zone and record (in addition to the standard NS and SOA records):

example.com.   A     192.0.2.4

If I run dig example.com +noall +answer I receive an empty response instead of the expected example.com 1 IN 192.0.2.4

However, if I perform these nslookup I receive the expected responses:

nslookup example.com ns-604.awsdns-11.net
nslookup example.com ns-493.awsdns-61.com
nslookup example.com ns-1032.awsdns-01.org
nslookup example.com ns-1574.awsdns-04.co.uk

Server:         ns-1574.awsdns-04.co.uk
Address:        205.251.198.38#53

Name:   example.com
Address: 192.0.2.4

I also receive a 2(SERVFAIL) from host

host example.com
Host example.com not found: 2(SERVFAIL)

Not sure what's going on here. nslookup shows that my DNS is pointed to the right IP, but host and dig both fail.

Patrick Mevzek
  • 9,921
  • 7
  • 32
  • 43
diplosaurus
  • 123
  • 1
  • 4
  • what if you run `host mydomain.com 8.8.8.8`? or `dig mydomain.com @8.8.8.8`? – Andrew Apr 04 '18 at 21:43
  • @Andrew I get `Host mydomain.com not found: 2(SERVFAIL)` and an empty answer section, respectively. – diplosaurus Apr 04 '18 at 21:54
  • Did you set your nameservers at your domain registrar? Not doing so is the usual cause of this problem. – Michael Hampton Apr 04 '18 at 22:18
  • @MichaelHampton AWS/Route53 is also the registrar, and the nameservers on the domain are identical to the namservers in the hosted zone's NS record. – diplosaurus Apr 04 '18 at 22:36
  • Did you only just purchase the domain, then? – Michael Hampton Apr 04 '18 at 22:37
  • @MichaelHampton no I've owned the domain for a while, it was just unused. I created my hosted zone, then update the domain's nameservers to match the ones in the hosted zone's NS record. – diplosaurus Apr 04 '18 at 22:39
  • 1) give the true name involved without useless obfuscation (I fixed your values per RFC2606 and 5737) if you want quick and useful help 2) use `dig`, it is a superior tool to `nslookup` and `host` 3) always use dig with the `@` option to specify which nameserver you query 4) quick troubleshooting scenario: first check the authoritative nameservers then the recursive one. Also use online tools: https://zonemaster.net/ and https://dnsviz.net/ . If the authoritative have the data but not the recursive ones it is just a rejuvenation issue, so wait... (or a lame delegation) – Patrick Mevzek Apr 04 '18 at 23:38
  • @PatrickMevzek https://zonemaster.net/test/25323900ede06c1b shows the only warning as `All nameservers in the delegation have IPv6 addresses in the same AS (16509).` . Could you expand on how to check if the authoritative have the data but not the recursive ones? The only thing I found reading through the output was `None of the following nameservers is a recursor : ns-1052.awsdns-03.org/205.251.196.28, ns-1569.awsdns-04.co.uk/205.251.198.33, ns-319.awsdns-39.com/205.251.193.63, ns-753.awsdns-30.net/205.251.194.241.` – diplosaurus Apr 05 '18 at 00:01
  • Notice that none of the nameservers in that response are the ones you are using nsloolup against, @diplosaurus. Your domain's authoritative servers list points to different nameservers, and therefore a different hosted zone... probably one that you deleted at some point in the past. – Michael - sqlbot Apr 05 '18 at 01:56
  • The solution will be the same as the one in [Deleted then recreated Route 53 hosted zones, now website not working](https://serverfault.com/a/838396/153161). – Michael - sqlbot Apr 05 '18 at 02:01

1 Answers1

2

As the Zonemaster test you have done (https://zonemaster.net/test/25323900ede06c1b) shows your domain, we would have been able to reply sooner with more helpful information if you did give it right at the start.

Anyway, the test is ok which means there is no lame delegation, the set of NS records in your parent zone and in your own zone match.

Indeed they are:

;; ANSWER SECTION:
nickbrown.me.       60  IN  NS  ns-1052.awsdns-03.org.
nickbrown.me.       60  IN  NS  ns-1569.awsdns-04.co.uk.
nickbrown.me.       60  IN  NS  ns-319.awsdns-39.com.
nickbrown.me.       60  IN  NS  ns-753.awsdns-30.net.

Note that these are NOT the ones you give in your question.

If you query any of them, for an A record at the apex they all reply with 35.162.177.171 so this is consistent and working. Your zone is correctly installed and works.

Now if we try some "well known" open recursive resolvers: both Google (8.8.8.8), Quad9 (9.9.9.9) and Cloudflare (1.1.1.1) reply with the same answer.

So in short everything works, except that from your question you do not test the correct authoritative nameservers, and you do not specify exactly which recursive ones you use so they may have problems or have specific configurations for your zone.

Since whois shows your domain had an update recently (2018-04-04T21:43:23Z) you may have changed something and not tested things correctly at the correct time.

Patrick Mevzek
  • 9,921
  • 7
  • 32
  • 43