DNS isues with AWS Route53 hosted zone / nameservers

amazon-route53domain-name-system

I set up a set of white-label nameservers at AWS Route53, following both the AWS docs as well as a write-up I found from an AWS employee. All seemed to work fine — I have never had an issue reaching a test site I use, with those white-label nameservers as its DNS.

I asked a few people around the USA to try getting to the site, and they said they were intermittently getting "server not found". I tried examining via online tools like pingdom — and got some pretty disconcerting error messages back, but with the final statement "but an IP address lookup succeeded in spite of that". Not a real warm fuzzy.

If anyone would mind helping a DNS newbie out a bit. The test site is at: tsf-test.com ; if reachable it should give a brilliant "error establishing a database connection" result. That is expected.

DNSstuf.com reports this:

SOA record check    No nameservers provided an SOA record for the zone. 
You should configure your nameservers to have a master slave relationship.
The update of the zone information to the slave nameservers should 
be handled through the SOA record.

I would really appreciate any pointers about how to get this working solidly at Route53. Thanks…

EDIT:

Here are the records I have set up at AWS for the custom nameservers:

localroute.net.  NS ns1.localroute.net 172800
                    ns2.localroute.net 
                    ns3.localroute.net 
                    ns4.localroute.net

localroute.net.  SOA  ns1.localroute.net. hostmaster.localroute.net. 2016112702 7200 900 1209600 86400  900

ns1.localroute.net. A  205.251.192.207 172800
ns2.localroute.net. A  205.251.197.175 172800
ns3.localroute.net. A  205.251.195.235 172800
ns4.localroute.net. A  205.251.198.34  172800

Also, for the domain localroute.net, with AWS as registrar, I have glue records for ns1. ns2. ns3. and ns4. – pointing to same IP addresses as above.

Then, for tsf-test.com here are the zone records:

tsf-test.com.   A   xxx.xxx.xxx.xxx 60

tsf-test.com.   NS  ns1.localroute.net 60
                    ns2.localroute.net 
                    ns3.localroute.net 
                    ns4.localroute.net
tsf-test.com.   SOA ns1.localroute.net. hostmaster.localroute.net. 2016112701 7200 900 1209600 86400    900

*.tsf-test.com. CNAME tsf-test.com  60

Best Answer

Your glue records are correct. That isn't the issue.

The problem is, you didn't configure the localroute.net domain, itself, to actually use the white label servers, even though you've configured the global authoritative servers at the top level of the .net domain (the gTLD servers) -- via the registrar -- to believe that you did.

If you open up the Route 53 console, and highlight that hosted zone for localroute.net (don't click on the actual domain name, just on the row in the table), I believe you'll find that the 4 nameservers listed on the right side of the screen are not the correct Route 53 servers -- they don't correspond to the same 4 IP addresses that match your 4 white label servers. They should be these:

ns-1455.awsdns-53.org.   205.251.197.175
ns-1003.awsdns-61.net.   205.251.195.235
ns-207.awsdns-25.com.    205.251.192.207
ns-1570.awsdns-04.co.uk. 205.251.198.34

The localroute.net hosted zone -- I suspect you'll find -- will not be using these, but tsf-test.com will be, because it's correct.

But those are the equivalent servers for ns1-ns4, which allegedly is authoritative for localroute.net... yet if you ask those specific Route 53 servers about localroute.net, they have no idea what you're talking about.

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 21284
                                       ^^^^^^^

So, assuming the above is accurate, how do you fix it?

The NS records in the hosted zone itself are irrelevant if values corresponding to different IP addresses are shown here.

I'm guessing you may have edited the NS records for the localroute.net zone, and you can't arbitrarily do that. It doesn't work that way. The hosted zone must already be on those name servers, or the change doesn't accomplish anything useful.

You'll need to create a new hosted zone for localroute.net using the same process that you used to create tsf-test.com -- so that it is associated with the white label name servers. You don't have to delete the old one first -- you can delete it later. Create the zone, populate the records, and the issue should be resolved.

Related Solutions

DNS Phishing – Phishing Site Uses Subdomain That I Never Registered

Sigh. I've had a few clients fall trap to this by using afraid.org as their DNS provider. Because they're free, they allow anyone who wants to to create subdomains off your primary domain, unless you specifically disallow it.

You can see here: https://freedns.afraid.org/domain/registry/?sort=5&q=gotgenes&submit=SEARCH that someone has created 79 subdomains off your primary domain.

Never. ever. ever. ever. use afraid.org for a website you care about.

Domain – DNS BIND on CENTOS 6.3 and domain nameservers

Your configuration file sets

allow-query     { localhost; };

That means BIND will only respond to queries from it's own server.

[jonv@desk ~]$ dig @66.215.210.17 example.com. soa

; <<>> DiG 9.7.6-P1 <<>> @66.215.210.17 example.com. soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 59075
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

The 'status: REFUSED' is the big indicator of what's wrong.

Edit: You should be able to just remove the line, the default is allow-query {any;};. Without understanding your environment further, it's hard to give you an exact answer. You can also put the allow-query line within the zone statement for example.com while leaving the allow-query { localhost;}; in place for the global setting.

Best Answer

Related Solutions

DNS Phishing – Phishing Site Uses Subdomain That I Never Registered

Domain – DNS BIND on CENTOS 6.3 and domain nameservers

Related Topic