-1

I have a domain, originally from GoDaddy, eventually transferred to AWS; it's under Registered Domains in Route53. The status is "clientTransferProhibited", which is one of the "ok" statuses, and the domain is not yet expired (good until 2020-07-12)

But it stopped working at some point (not sure exactly when or why). It used to, I had it point to a bunch of different EC2 instances, an S3 website, used it with and without subdomains, no problems, until I recently tried to use it with a Digital Ocean droplet (just put the IP in the Record Set as an A record), and discovered it's no longer working. Pings just time out, traceroute hangs.

I checked whois - and the results confused me, because it's saying the registrar is some Gandi SAS. Never heard the name before; I own a couple other domains, and they show Godaddy in the Registrar part of whois response, as expected. After domain was transferred to AWS, I expect AWS tp show up as a registrar.

Name Servers listed in whois response seem to be correct though - same as I see in the Domain section in Route53, and same as are listed in Value of type NS in the Hosted Zone.

and yet: traceroute: unknown host alexakarpov.xyz =|

what am I doing wrong?

alexakarpov
  • 1,848
  • 2
  • 21
  • 39

2 Answers2

1

If you provided the true name, any online tool shows the problem: http://dnsviz.net/d/alexakarpov.xyz/dnssec/

You have a lame delegation.

xyz authoritative nameservers are telling:

$ dig @$(dig ns xyz. +short|tail -1) alexakarpov.xyz NS | grep 'IN NS '
alexakarpov.xyz.    1h IN NS ns-102.awsdns-12.com.
alexakarpov.xyz.    1h IN NS ns-1223.awsdns-24.org.
alexakarpov.xyz.    1h IN NS ns-1724.awsdns-23.co.uk.
alexakarpov.xyz.    1h IN NS ns-954.awsdns-55.net.

Asking any of those nameservers:

 for ns in ns-102.awsdns-12.com. ns-1223.awsdns-24.org. ns-1724.awsdns-23.co.uk. ns-954.awsdns-55.net. ; do dig @$ns alexakarpov.xyz NS +noqr| grep status; done
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 57934
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 14503
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 48681
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 12837

None of the listed nameservers at parent are authoritative for your name, so you have a lame delegation.

You need either to fix those nameservers, in order for them to be authoritative on your domain name, or you need to change nameservers for some that are authoritative on your nameserver.

Who is your registrar does not come into play in the above, except if you need to change your nameservers, which is something that needs to happen through your registrar.

PS: you can see the list of gTLD registrars at https://www.internic.net/alpha.html this is the official list. Amazon is listed but then which registrar sponsors your domain name is something to see in whois, which is its sole use in your case.

Patrick Mevzek
  • 10,995
  • 16
  • 38
  • 54
  • Whois gets the NS information what is present in Registrar. They have got incorrect name servers in their registrar configuration in process of transfer, He needs to create a HZ and get 4 name servers and use the new nameservers in AWS registered domains configuration. What you have mentioned isn't anything new from what I said. – James Dean Apr 02 '19 at 16:49
  • "What you have mentioned isn't anything new from what I said. " Then you are not understanding the place of whois vs DNS. What is described in whois plays NO ROLE in the DNS resolution. It can be all wrong, and yet the domain can work. So for DNS resolution problems you have to do DNS queries, not using whois. That is the main point. And it is far different from your answer which does not provide the core point: this domain is in a lame delegation case, where nameservers do not reply correctly, which I have shown and you did not. Feel free to downvote my answer if it does not please you. – Patrick Mevzek Apr 02 '19 at 17:02
  • I agree and I pointed out the incorrect NS config, whois is one part of checking the nameservers as in most cases it returns the same nameservers as dig, though it isn't a approach but it confirms what is set on the Registrar. – James Dean Apr 02 '19 at 17:09
  • " whois is one part of checking the nameservers " we will agree on stay disagreeing on that specific point. Checking nameservers is done first and foremost by DNS queries. The problem can be solved even if whois does not exist. Whois is useful to: find the registrar, and find the domain statuses (it can be not resolving because it is on `clientHold` or `serverHold` and **that** information is only in whois). But if you check by DNS queries and then see that nameservers are not configured correctly, then you do not even need to check whois, it will not give any other useful data. – Patrick Mevzek Apr 02 '19 at 17:12
  • oh wow, unpacking your commands alone makes me feel I'm getting closer to the solution than reading several (useless) articles on "DNS troubleshooting" – alexakarpov Apr 02 '19 at 22:23
0

AWS uses Gandi SAS for Domain registration so your domain is with AWS now. Now, You need to check things like:

  1. What is your current Nameservers ? Are they of AWS ?

  2. If no, please create a Hosted Zone on AWS and get the 4 nameservers, on Route53 console , go to domains and use these 4 names servers and have them propagated.

  3. Once this is done, perform dig domain.example NS and see if you're seeing those 4 name servers.

  4. Create all records in AWS Route53 hosted zone onwards.

These are the 4 nameservers currently seeing in whois:

Name Server: NS-102.AWSDNS-12.COM                                                 
Name Server: NS-1223.AWSDNS-24.ORG                                            
Name Server: NS-1724.AWSDNS-23.CO.UK                                                
Name Server: NS-954.AWSDNS-55.NET

Make sure the nameservers are the one you get when you create the Hosted Zone.

Patrick Mevzek
  • 10,995
  • 16
  • 38
  • 54
James Dean
  • 4,033
  • 1
  • 9
  • 18
  • What appears in whois is irrelevant on how the domain name resolved or not. – Patrick Mevzek Apr 02 '19 at 14:57
  • thanks for you suggestions, mate 1. yes they all are, and I took the from Route53 page 2. yep, I do have a Hosted zone with the same name as domain (though that was a requirement from an S3 Website, as I remember now - wonder if it remains important to keep it that way) 3. I'll check that now 4. All records are there already, I think, and from AWS own web console it claims my domain (the A record) is resolved to the correct IP – alexakarpov Apr 02 '19 at 19:46