DNS – dig +trace: No Servers Could Be Reached for My Domain

amazon-api-gatewaydns-hostingdomain-name-system

I am building my app in AWS.

I have deployed my Reactjs frontend project in an EC2 instance. Instead of users from the external internet world visiting my EC2 instance directly, I want to put it behind the AWS API Gateway. So AWS API Gateway would be the single entry point to my app's frontend and backend services. This is the plan to go with:

external world —> AWS API Gateway —> Network Load Balancer —> my VPC Target Group / EC2 instances

Here is what I have done:

Reactjs Frontend project is running well in EC2 instance; I can visit the webpage with EC2 instance's public ip address.
Well configured Target Group and Network Load Balancer. I confirmed by inputting the NLB's DNS name in a browser, i.e. http://myapp-frontend-NLB-c11112esd43524rw.elb.ap-northeast-1.amazonaws.com, and it successfully loads / opens my app's frontend webpage.
I have created new AWS API Gateway (REST API) and configured custom domain name for it.(with the https certificate taken care of in AWS Certificate Manager).

i.e. the custom domain is frontend.myapp.com;
the API Gateway domain name is d-123sdf1234asd.execute-api.ap-northeast-1.amazonaws.com

And I have created new NS record in my DNS provider for them, so that frontend.myapp.com points to d-123sdf1234asd.execute-api.ap-northeast-1.amazonaws.com
I have followed this aws doc: https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-with-private-integration.html step by step and configured the VPC link, API Resources, Integration Type, etc.

After deploying the created API, when I click open the Invoke URL, (in the form of https://123qwe123qe.execute-api.ap-northeast-1.amazonaws.com/[stage]), I can see the returned HTML code.

I expected that when I visit frontend.myapp.com in browser, DNS will eventually lead the traffic to API Gateway's domain name d-123sdf1234asd.execute-api.ap-northeast-1.amazonaws.com, and API Gateway will then pass the request to NLB and so on, and eventually load the web page / or return the same HTML code.

However, When I visit frontend.myapp.com in browser, there is no response. I thought the DNS record did not work. dig +trace docloud.iwg-inc.co.jp. gives the following result:


; <<>> DiG 9.10.6 <<>> +trace frontend.myapp.com.
;; global options: +cmd
.     3240  IN  NS  i.root-servers.net.
.     3240  IN  NS  d.root-servers.net.
.     3240  IN  NS  b.root-servers.net.
.     3240  IN  NS  m.root-servers.net.
.     3240  IN  NS  j.root-servers.net.
.     3240  IN  NS  h.root-servers.net.
.     3240  IN  NS  f.root-servers.net.
.     3240  IN  NS  g.root-servers.net.
.     3240  IN  NS  k.root-servers.net.
.     3240  IN  NS  c.root-servers.net.
.     3240  IN  NS  a.root-servers.net.
.     3240  IN  NS  l.root-servers.net.
.     3240  IN  NS  e.root-servers.net.
;; Received 811 bytes from 240d:1a:6a5:c900:e67e:66ff:fe1f:bf4c#53(240d:1a:6a5:c900:e67e:66ff:fe1f:bf4c) in 29 ms

 
 ...other results...

frontend.myapp.com.  14400 IN  NS  d-123sdf1234asd.execute-api.ap-northeast-1.amazonaws.com.
;; Received 117 bytes from 54.68.111.244#53(ns4.jp-domains.jp) in 131 ms

;; connection timed out; no servers could be reached

As you can see, frontend.myapp.com. indeed points to d-123sdf1234asd.execute-api.ap-northeast-1.amazonaws.com. as an NS record.

However, it says connection timed out; no servers could be reached.

d-123sdf1234asd.execute-api.ap-northeast-1.amazonaws.com. is the custom domain name of my API Gateway, which I have tested with the invoke URL and it is connected to services.

why would it say no servers could be reached ?

What does this mean? How can I solve it and complete the flow?

Best Answer

frontend.myapp.com.  14400 IN  NS  d-123sdf1234asd.execute-api.ap-northeast-1.amazonaws.com.

The NS record type is for name servers.

That current record is essentially saying: if you want to know anything DNS related about the frontend.myapp.com subdomain or about any record below that subdomain, ask the name server running on d-123sdf1234asd.execute-api.ap-northeast-1.amazonaws.com

And d-123sdf1234asd.execute-api.ap-northeast-1.amazonaws.com is not a name server at all, so there will not be any response to DNS queries sent there.
That is the connection timed out; no servers could be reached error you see.

I think that what you intended was to set up a DNS CNAME record, which basically says, if you want to reach frontend.myapp.com. use the IP-address of d-123sdf1234asd.execute-api.ap-northeast-1.amazonaws.com.

Related Solutions

AWS Route 53 – Dig -x Equivalent Command

Since you say you want to use the data to run a port scan of currently running AWS nodes, why not just collect the IP information by listing your current running AWS instances?

You might have records in DNS that have no current host running, and you might have hosts running that aren't actually in DNS, so I would think an instance list would be a better 'source of truth'.

Here's an example boto script for grabbing a list of instances. boto list instances Some of of the instance parameters is the current external and internal IP addresses for the instance.

If you really want to stick to route53 methods, you can use boto to walk all records in your hosted zone. boto docs for route53 api

$ cat list-r53.py

#!/usr/bin/python

"""
Simple script to lsit route 53 entries

WARNING: (boto requires credential to be stored in a dotfile for the user)

eg.
Contents of ~/.boto are below:
[Credentials]
aws_access_key_id = ABC123DEF456
aws_secret_access_key = NOC4KE4U

"""


from boto.route53.connection import Route53Connection
route53 = Route53Connection()
results = route53.get_all_hosted_zones()
for zone in results['ListHostedZonesResponse']['HostedZones']:
    print "========================================"
    print "Zone:",zone['Name']
    zone_id = zone['Id'].replace('/hostedzone/', '')
    for rset in route53.get_all_rrsets(zone_id):
        print "\t%s: %s %s @ %s" % (rset.name, rset.type, rset.resource_records, rset.ttl)

$ ./list-r53.py
========================================
Zone: serverfault.com.
    serverfault.com.: NS [u'ns-1638.awsdns-12.co.uk.', u'ns-699.awsdns-23.net.', u'ns-301.awsdns-37.com.', u'ns-1459.awsdns-54.org.'] @ 172800
    serverfault.com.: SOA [u'ns-1638.awsdns-12.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400'] @ 900
    192.168.1.1.serverfault.com.: PTR [u'sample.serverfault.com.'] @ 300
    sample.serverfault.com.: A [u'192.168.1.1'] @ 300

Good luck.

Why does dig +trace seem to ignore the DNS glue records

The official documentation says that dig can use glue records for subsequent queries but may revert to recursive queries if glue records are not provided [1]:

dig may still send queries to the servers listed in /etc/resolv.conf when using +trace When following delegation iteratively as specified with the +trace option, dig will begin by requesting the NS records for the servers authoritative for root ("."). These may or may not be supplied with glue - that is A and AAAA records that can be used for the next queries dig has to send. When there is no glue provided, either on the initial query for the root nameservers, or later on when following delegation, dig will revert to recursively querying the servers listed in /etc/resolv.conf to obtain the needed A/AAAA RRsets.

Specifying @server does not change this behaviour - the server specified in this way will only be queried for the NS records for the servers authoritative for root (".").

It might be wrong documentation or a bug in dig.

[1] https://kb.isc.org/docs/aa-00208

Best Answer

Related Solutions

AWS Route 53 – Dig -x Equivalent Command

Why does dig +trace seem to ignore the DNS glue records

Related Topic