How do I troubleshoot issues with hosted zones in Route 53 that have the same domain names in different AWS accounts?

5 minute read
0

In Amazon Route 53, I have multiple hosted zones in different AWS accounts, and the hosted zones share the same domain name. I want to troubleshoot issues with these hosted zones.

Resolution

Public hosted zones with the same name in two accounts

You can create more than one hosted zone with the same name and add different records to each hosted zone. Route 53 assigns four name servers to every hosted zone, and the name servers are different for each hosted zone. When you update your registrar's name server records, be sure to use the Route 53 name servers for the appropriate hosted zone. You must use the hosted zone that contains the records that Route 53 uses when it responds to queries for your domain. Route 53 doesn't return values for records in other hosted zones that have the same name.

For example, let's say you have the following hosted zones in two accounts:

In Account A, there's a hosted zone with the domain 101.example.com. Route 53 automatically assigned four name servers to this hosted zone:

  • ns-1701.awsdns-20.co.uk.
  • ns-487.awsdns-60.com.
  • ns-1410.awsdns-48.org.
  • ns-867.awsdns-44.net.

There's also a simple Type A record with the following details:

Record nameTypeRouting policyDifferentiatorValue/Route traffic to
test1.101.example.comASimple-8.8.8.8

In Account B, there's a hosted zone with the same domain name (101.example.com). Route 53 automatically assigned four name servers to this hosted zone:

  • ns-869.awsdns-44.net.
  • ns-1332.awsdns-38.org.
  • ns-61.awsdns-07.com.
  • ns-1707.awsdns-21.co.uk.

This hosted zone also contains a simple Type A record with following details:

Record nameTypeRouting policyDifferentiatorValue/Route traffic to
test2.101.example.comASimple-8.8.8.8

You can update the name servers in either or both accounts in the registrar. If you update the domain's name servers in Account A but not the name servers in Account B, then you get the following dig output:

  • Dig output for Account A: NOERROR
# dig test1.101.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test1.101.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38973
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test1.101.example.com.    IN   A

;; ANSWER SECTION:
test1.101.example.com. 300    IN   A      8.8.8.8
  • Dig output for Account B: NXDOMAIN
dig test2.101.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test2.101.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34489

Private hosted zones with the same name in two accounts

Let's say there's a private hosted zone (example.com) in Account A that's associated with a virtual private cloud (VPC). The private hosted zone contains a simple Type A record:

Record nameTypeRouting policyDifferentiatorValue/Route traffic to
example.comNSSimple-ns-1536.awsdns-00.co.uk. / ns-0.awsdns-00.com. / ns-1024.awsdns-00.org. / ns-512.awsdns-00.net. /
example.comSOASimple-ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
test1.example.comASimple-1.1.1.1

In this example, the dig output of the resource record from an instance in the VPC is NOERROR:

# dig test1.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test1.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45251
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test1.example.com.    IN   A

;; ANSWER SECTION:
test1.example.com.    60   IN   A   1.1.1.1

In Account B, there's another private hosted zone with the same name (example.com) that's associated with a different VPC. This private hosted zone contains a simple Type A record:

Record nameTypeRouting policyDifferentiatorValue/Route traffic to
example.comNSSimple-ns-1536.awsdns-00.co.uk. / ns-0.awsdns-00.com. / ns-1024.awsdns-00.org. / ns-512.awsdns-00.net. /
example.comSOASimple-ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
test2.example.comASimple-2.2.2.2

The dig output of the resource record from an instance in the VPC of Account B is NOERROR:

# dig test2.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> test2.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5377
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test2.example.com.    IN   A

;; ANSWER SECTION:
test2.example.com.    60   IN   A   2.2.2.2

Note: The name servers for private hosted zones in Route 53 are the same four name servers. You can't associate the same VPC to two private hosted zones with the same name.

AWS OFFICIAL
AWS OFFICIALUpdated 8 months ago