Public hosted zone records don't work inside VPC

Question

I have some public hosted zone records defined in Route 53. They work normally accessed from any computer, but when accessed from an instance in my production vpc (or any other vpc of my account), it's impossible to reach them. But any other site outside the vpc, works normally.

Can somebody help me?

EDIT: To clarify, I can't reach with wget for example. I get:

wget http://XXX.YYY.com

--2018-05-25 15:22:43--  http://XXX.YYY.com
Resolving XXX.YYY.com (XXX.YYY.com)... failed: Name or service not known.
wget: unable to resolve host address 'XXX.YYY.com'

With dig I get:

dig YYY.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> YYY.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41991
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;YYY.com.           IN  A

;; AUTHORITY SECTION:
YYY.com.        60  IN  SOA ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 2 msec
;; SERVER: 10.150.0.2#53(10.150.0.2)
;; WHEN: Fri May 25 16:30:28 UTC 2018
;; MSG SIZE  rcvd: 124

Does impossible to reach mean you can't get to the server, or you can't get a DNS record at all from something like `dig`? If the latter, see if you've set up a [private hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html) for the domain that'd be overriding the public one. — ceejayoz, May 25 '18 at 13:59
Well, for starters, you can't do `dig http://XXX`. It's just `dig XXX`. — ceejayoz, May 25 '18 at 15:34
I have updated my question again. Yes I have a private zone with same domain name that the public domain. But I don't have any public record set equals to private record set. — voliveira89, May 25 '18 at 16:36

score 2 · Accepted Answer · answered May 25 '18 at 16:40

2

Yes I have a private zone with same domain name that the public domain. But I don't have any public record set equals to private record set.

A private zone completely replaces any public records (for the same domain) within the VPC it is attached to.

If you want the public records available in the private zone, you'll have to add them to both zones.

answered May 25 '18 at 16:40

ceejayoz

32,910
7
82
106

2

Fun trivia to impress friends: If the dig response's SOA record's ns-nnnn is evenly divisible by 512 (ns-0, ns-512, ns-1024, or ns-1536), that's a response from a private hosted zone. – Michael - sqlbot May 25 '18 at 22:41
@Michael-sqlbot That *is* a fun fact. Neato! – ceejayoz May 26 '18 at 01:08

score 0 · Answer 2 · answered Jan 10 '23 at 16:33

if we are created public and private hosted zones with a same domain name, we will get this error.

so we have to create records in both zones.

example. public zone (xyz.com) . private zone (xyz.com)

in this case, all our vpc traffic is sent to private zone only, that's why we are unable to access the public records. so we need to create records in both zones.

Public hosted zone records don't work inside VPC

2 Answers2