I've set up Client-VPN and can't seem to reach my RDS instance in a private subnet. I can reach EC2 instances using IP but not by DNS. My setup looks a little like this:
VPC:
CIDR: 10.0.0.0/16
DNS Resolution: Enabled
DNS Hostnames: Enabled
Client-Vpn:
DNS Servers: 10.0.0.2 (have also tried empty)
Security Group: vpn-sg (ingress all from my IP, egress all)
Client CIDR: 10.1.0.0/16
Transport: UDP 443
Associations: 3x private subnets (all have access to RDS instance)
Split-tunnel: Enabled
RDS Instance:
Security Group: rds-sg
Security Group Ingress: All traffic from vpn-sg
I believe that there is a problem with DNS resolution and that for some reason, DNS for the RDS instance is not being resolved. From my EC2 instance I can connect to RDS which suggests DNS resolution is working within the VPC.
I'm running Ubunutu 20.04 and I'm using the AWS VPN client (which I believe uses openvpn underneath). I'm using the openvpn configuration downloaded from the VPN settings in the AWS control panel.
Can someone help explain why the DNS isn't being resolved? Debugging informaiton is below.
Debugging when connected to the VPN
$ ping ip-10-0-0-177.eu-west-1.compute.internal
ping: ip-10-0-0-177.eu-west-1.compute.internal: Name or service not known
$ ping 10.0.0.177
PING 10.0.0.177 (10.0.0.177) 56(84) bytes of data.
64 bytes from 10.0.0.177: icmp_seq=1 ttl=254 time=22.8 ms
64 bytes from 10.0.0.177: icmp_seq=2 ttl=254 time=22.5 ms
64 bytes from 10.0.0.177: icmp_seq=3 ttl=254 time=24.1 ms
--- 10.0.0.177 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 22.472/23.841/25.161/1.046 ms
$ systemd-resolve --status
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 22 (tun0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 10.0.0.2
DNS Servers: 10.0.0.2
Link 3 (wlp0s20f3)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.1.254
DNS Servers: 192.168.1.254
DNS Domain: ~.
home
$ traceroute google.com
traceroute to google.com (216.58.212.238), 30 hops max, 60 byte packets
1 eehub.home (192.168.1.254) 2.327 ms 2.225 ms 3.201 ms
2 * * *
3 * * *
4 213.121.98.128 (213.121.98.128) 14.432 ms 14.407 ms 14.380 ms
5 87.237.20.130 (87.237.20.130) 20.563 ms 20.538 ms 20.992 ms
6 74.125.52.216 (74.125.52.216) 16.718 ms 12.813 ms 12.728 ms
7 * * *
8 142.251.52.148 (142.251.52.148) 13.044 ms 209.85.248.240 (209.85.248.240) 11.870 ms 142.251.54.26 (142.251.54.26) 13.344 ms
9 ams16s22-in-f14.1e100.net (216.58.212.238) 13.257 ms 216.239.63.219 (216.239.63.219) 14.388 ms 14.360 ms
$ traceroute ip-10-0-0-177.eu-west-1.compute.internal
ip-10-0-0-177.eu-west-1.compute.internal: Name or service not known
Cannot handle "host" cmdline arg `ip-10-0-0-177.eu-west-1.compute.internal' on position 1 (argc 1)
Edit 1: I just learned how to run a dig command with a specific nameserver and have confirmed that the DNS resolution does work when the system uses the right server:
$ dig #10.0.0.2 ip-10-0-0-177.eu-west-1.compute.internal
; <<>> DiG 9.16.1-Ubuntu <<>> #10.0.0.2 ip-10-0-0-177.eu-west-1.compute.internal
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2950
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ip-10-0-0-177.eu-west-1.compute.internal. IN A
;; ANSWER SECTION:
ip-10-0-0-177.eu-west-1.compute.internal. 60 IN A 10.0.0.177
;; Query time: 24 msec
;; SERVER: 10.0.0.2#53(10.0.0.2)
;; WHEN: Sat Mar 05 22:38:15 GMT 2022
;; MSG SIZE rcvd: 85
Edit 2: After reading some troubleshooting tips I have managed to get EC2 DNS resolution but not RDS. Still hoping someone can help decipher this :)
$ dig ip-10-0-0-177.eu-west-1.compute.internal
; <<>> DiG 9.16.1-Ubuntu <<>> ip-10-0-0-177.eu-west-1.compute.internal
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3681
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;ip-10-0-0-177.eu-west-1.compute.internal. IN A
;; ANSWER SECTION:
ip-10-0-0-177.eu-west-1.compute.internal. 54 IN A 10.0.0.177
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Mar 05 22:46:10 GMT 2022
;; MSG SIZE rcvd: 85
dig ***.***.eu-west-1.rds.amazonaws.com
; <<>> DiG 9.16.1-Ubuntu <<>> ***.***.eu-west-1.rds.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44468
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;***.***.eu-west-1.rds.amazonaws.com. IN A
;; Query time: 20 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Mar 05 22:48:26 GMT 2022
;; MSG SIZE rcvd: 82
Again when I perform this directly against the correct nameserver, it resolves.
dig #10.0.0.2 ***.***.eu-west-1.rds.amazonaws.com
; <<>> DiG 9.16.1-Ubuntu <<>> #10.0.0.2 ***.***.eu-west-1.rds.amazonaws.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5532
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;***.***.eu-west-1.rds.amazonaws.com. IN A
;; ANSWER SECTION:
***.***.eu-west-1.rds.amazonaws.com. 5 IN A 10.0.1.233
;; Query time: 24 msec
;; SERVER: 10.0.0.2#53(10.0.0.2)
;; WHEN: Sat Mar 05 22:49:23 GMT 2022
;; MSG SIZE rcvd: 98
The poster gave the answer in his reddit post, which also worked for me, so I am leaving it here in case someone else stumble on this
I had to set my DNS to something useful like Google's (8.8.8.8, 4.4.4.4) on my studio card and reboot. That was it. I don't know why but my other DNS wouldn't resolve.
I am on Comcast internet and I had the exact same problem as the OP. As soon as I switched to Google DNS, per his suggestion, everything worked!
Thanks OP.
Related
I have seen quite a few posts talking almost about the same, but none of those covered my case.
I have 2 accounts, A and B, in which:
In account A I have a hosted zone with the domain, domainA.com and a load balancer.
In account B I have another hosted zone, which is a subdomain, staging.domainA.com and another load balancer.
I would like to redirect from one record in domainA.com hosted zone, product.domainA.com to the ELB load balancer in account B, product.staging.domainA.com.
I have thoroughly followed the steps documented in Routing traffic to an ELB load balancer
. An even, they appear to cover my case, because the doc refers at some point in steps 1 and 6 to have a hosted zone and ELB load balancer in different accounts.
Unfortunately, it's not working. I'm getting a 404 error not found. When using dig command the output is exactly the same:
tomas#DESKTOP-EMM3Q9L:~$ dig product.domainA.com
; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> product.domainA.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55731
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;product.domainA.com. IN A
;; ANSWER SECTION:
product.domainA.com. 60 IN A X.X.X.X
;; Query time: 41 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Dec 08 16:30:21 STD 2020
;; MSG SIZE rcvd: 50
====================================================================================================================================
tomas#DESKTOP-EMM3Q9L:~$ dig product.staging.domainA.com
; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> product.staging.domainA.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41318
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;product.staging.domainA.com. IN A
;; ANSWER SECTION:
product.staging.domainA.com. 41 IN A X.X.X.X
;; Query time: 15 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Dec 08 16:30:58 STD 2020
;; MSG SIZE rcvd: 58
(Actual domain names have been changed as well as IP, which in this case, X.X.X.X represents the SAME IP address in both dig.
Do you know what may be going on? Let me know if you need further details. Thank you.
This could very much be because of a listener rule in your ALB, that only accepts requests from a particular host / domain name.
Check them, and see whether the 404 error could be due to that. In my case at least, it was about that.
For more see: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-rules.html
I have been trying to get my domain (nicschmidt.com) working by following this tutorial: https://cloud.google.com/storage/docs/hosting-static-website#storage-upload-object-client_libraries.
I have done the and double-checked the following:
create project
enable billing
verify ownership of domain (I bought it off of google domains)
create cname alias
create bucket
upload files and share files and folders
If I request the link https://storage.googleapis.com/www.nicschmidt.com/index.html, I can find the index page I uploaded but when I request nicschmidt.com I get the 'nicschmidt.com’s server DNS address could not be found.' page.
Does anyone have any ideas on what might have gone wrong?
I have searched and not found anyone posting of the same issue when hosting a static website via Google Cloud.
You do not have the CNAME alias set up correctly:
$ dig nicschmidt.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49571
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;nicschmidt.com. IN A
;; AUTHORITY SECTION:
nicschmidt.com. 299 IN SOA ns-cloud-d1.googledomains.com. cloud-dns-hostmaster.google.com. 5 21600 3600 259200 300
$ dig www.nicschmidt.com
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57279
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.nicschmidt.com. IN A
;; AUTHORITY SECTION:
nicschmidt.com. 243 IN SOA ns-cloud-d1.googledomains.com. cloud-dns-hostmaster.google.com. 5 21600 3600 259200 300
Notice that there is no answer section and the status is NXDOMAIN, indicating no record is present. Make sure your DNS provider has the record fully saved.
I have an aws route53 domain that I registered and assigned to a website.
Everything was working fine and suddenly a few days ago the domain stopped resolving.
When I use 'dig mydomain.com' I notice this:
; <<>> DiG 9.8.3-P1 <<>> mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: *****
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;mydomain.com. IN A
;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 14809***** 1800 900 604800 86400
;; Query time: 187 msec
;; WHEN: Mon Dec 5 20:39:52 2016
;; MSG SIZE rcvd: 113
But I believe that the AUTHORITY SECTION with aws route53 should be:
;; AUTHORITY SECTION:
example.com. 118928 IN NS ns-806.awsdns-36.net.
example.com. 118928 IN NS ns-1456.awsdns-54.org.
example.com. 118928 IN NS ns-1713.awsdns-22.co.uk.
example.com. 118928 IN NS ns-105.awsdns-13.com.
I have checked all my route53 hosted zone settings and they are correct
so I don't understand why this suddenly happened and how to fix it
Silly me. Didn't realize I had a typo in my registered email address for the domain and hence never got the registrant verification email which of course led to the domain being suspended. Changing email and verifying resolved issue.
This is what I did:
Registered Domain Name jthinkws.com (with fasthosts)
Created new trusted Zone in Route 53 for jthinkws.com
Added new record Set for jthinkws.com
Name :search.jthinkws.com
Type :CName
Value:jthinkws.elasticbeanstalk.com
Waited 12 hours for it to propogate
But still if I enter http://search.jthinkws.com in a web-browser it is not found
Have I done this right ?
* Update *
Just searched on whois and see name servers are still set to
Name Server: NS1.LIVEDNS.CO.UK
Name Server: NS2.LIVEDNS.CO.UK
Name Server: NS3.LIVEDNS.CO.UK
do I have to do something to get them changed to the Amazon ones ?
* Update *
Changes to nameservers made and propogated yet still search.jthinkws.com does not work, why would this be ?
You need to update the nameserver records on fasthost to match the ones gives from Route53.
When I run "dig jthinkws.com any" in my bash shell I get the following responds:
; <<>> DiG 9.8.3-P1 <<>> jthinkws.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24700
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;jthinkws.com. IN ANY
;; ANSWER SECTION:
jthinkws.com. 3599 IN SOA ns1.livedns.co.uk. admin.jthinkws.com. 1404204424 10800 3600 604800 3600
jthinkws.com. 3599 IN NS ns2.livedns.co.uk.
jthinkws.com. 3599 IN NS ns3.livedns.co.uk.
jthinkws.com. 3599 IN A 213.171.195.105
jthinkws.com. 3599 IN NS ns1.livedns.co.uk.
;; Query time: 315 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul 2 14:58:42 2014
;; MSG SIZE rcvd: 155
The NS records must be AWS records for Route53 to work. Check out this getting started guide.
Yes you need use the Amazon Ones for name servers; That is the connection you would establish with your domain name and Route53.
After you create the hosted zone for jthinkws.com. Go to Record sets, there will be an entry for type NS. You will need to copy these name servers endpoints and update it in the DNS provider (fasthosts) for the domain jthinkws.com
-Santhosh
I have a static webpage, example.com, that is working fine and hosted on AWS S3 with Route53 connecting the A and NS record sets to my GoDaddy DNS.
I want to create sub.example.com that points to a dynamical page that will be hosted on my EC2 instance. I have my EC2 associated with an Elastic IP, whose public address is 12.12.12.12. I set up Route53 by creating a separate hosted zone for sub.example.com with 3 record sets:
An A record set named sub.example.com with the value 12.12.12.12.
An NS record set with values NS-1.org, NS-2.org,NS-3.org, and NS-4.org.
AWS seems to have generated an SOA record set, with values ns-1.org. awsdns-hostmaster.amazon.com. 1 0002 003 0000004 00005
All record sets are named sub.example.com. In my GoDaddy account, under DNS Zone File, I added the following:
A record set - name sub pointing to 12.12.12.12
4 NS records - name sub pointing to NS-1.org, NS-2.org,NS-3.org, and NS-4.org.
Am I missing something? My server is not running yet, I just want to verify that my DNS settings are ready first.
While dig example.com NS works, I tested sub.example.com with command dig sub.example.com NS and it failed:
[lucas#lucas-ThinkPad-W520]/home/lucas$ dig sub.example.com NS
; <<>> DiG 9.9.5-3-Ubuntu <<>> sub.example.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44939
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;sub.example.com. IN NS
;; AUTHORITY SECTION:
example.com. 900 IN SOA ns-5.net. awsdns-hostmaster.amazon.com. 1 0002 003 0000004 00005
;; Query time: 79 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu May 15 13:07:40 PDT 2014
;; MSG SIZE rcvd: 128
Interestingly, in the AUTHORITY SECTION, the SOA points to ns-5.net, which is under my NS set for the example.com hosted zone, NOT my sub.example.com zone. Any suggestions?
I also queried WHOIS for sub.example.com:
Domain Name: EXAMPLE.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS-5.ORG
Name Server: NS-6.ORG
Name Server: NS-7.ORG
Name Server: NS-8.ORG
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 30-jun-2014
Creation Date: 30-jun-2013
Expiration Date: 30-jun-2015
It indicates that my NS records are pointing to the name servers for example.com and not sub.example.com.
Am I missing something, or am I doing too much?
You do not need NS records for sub.example.com. You only need NS records for your domain, example.com. The A record is enough for sub.example.com.