How do I troubleshoot DNS propagation issues after transferring a domain to Route 53 or another DNS hosting provider?

6 minute read

I want to resolve DNS propagation issues that I experience after I transfer a domain to Amazon Route 53.

Short description

When you transfer your domain to Amazon Route 53, the following issues can cause temporary domain resolution disruptions:

Name server update delays
Cached DNS records
Incorrect DNS record configurations
Incorrect Domain Name System Security Extensions (DNSSEC) configurations
Registrar-level blocks

Resolution

Important: Adhere to the following best practices when you transfer a domain:

Plan your domain transfer during low-traffic periods.
Lower your Time to Live (TTL) values to 60 seconds or less a few days before you transfer your domain.
Keep both your old and new DNS records active during the transition.
Deactivate DNSSEC before you transfer your domain. Then, reactivate DNSSEC after you successfully transfer your domain.

Troubleshoot domain resolution failure due to name server update delays

If your domain fails to resolve and shows start-of-authority records from old DNS zones, then one of the following issues is true:

You haven't updated your name servers at the registrar level.
The local resolver caches outdated name servers.

Run the dig command to view your domain name servers, DNS resolution, and record configuration:

dig web.example-url.com

Note: Replace example-url with your URL.

In the following example output, the domain experienced resolution failure because the domain name information didn't exist in the correct name server:

; <<>> DiG 9.18.33 <<>> web.example.com  
;; global options: +cmd  
;; Got answer:  
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59604  
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1  
  
;; OPT PSEUDOSECTION:  
; EDNS: version: 0, flags:; udp: 4096  
;; QUESTION SECTION:  
;web.example.com.               IN      A  
  
;; AUTHORITY SECTION:  
example.com.            900     IN      SOA     ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

Verify that the name servers at your domain registrar match the name servers of your new DNS provider or Route 53. Then, wait until your old name server's TTL value expires for the change to take effect. If the problem persists, flush DNS on your local DNS resolver.

Note: To check your domain name's DNS resolution and record configuration, you can also use the nslookup command.

Troubleshoot inconsistent domain resolution for DNS record caching

If your local machine or internet service provider's DNS resolvers cache outdated DNS information, then users have inconsistent access to your domain across different networks and locations.

Run the dig command to view your domain name servers, and then review the outputs for caches at the local or the local resolver level. The following example outputs contain outdated DNS information:

; <<>> DiG 9.18.33 <<>> example.com  
;; global options: +cmd  
;; Got answer:  
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56173  
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1  
  
;; OPT PSEUDOSECTION:  
; EDNS: version: 0, flags:; udp: 4096  
;; QUESTION SECTION:  
;example.com.                   IN      A  
  
;; ANSWER SECTION:  
example.com.            300     IN      A       1.1.1.1  
example.com.            300     IN      A       2.2.2.2

If you find outdated DNS information, then clear your local DNS caches. Then, test access to your domain from different networks to verify that the change is in effect.

Note: It's a best practice to lower your name server's TTL values to 60 seconds before you transfer your DNS service.

Troubleshoot partial domain functionality due to incorrect DNS record configuration

If your DNS record transfer is incomplete or incorrect, then you experience partial domain functionality, such as when a website loads but the email services fail.

Run the dig command to troubleshoot your DNS record configuration.

Record Type A

Example command:

dig example.com A

Example output:

; <<>> DiG 9.18.33 <<>> example.com  
;; global options: +cmd  
;; Got answer:  
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56173  
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1  
  
;; OPT PSEUDOSECTION:  
; EDNS: version: 0, flags:; udp: 4096  
;; QUESTION SECTION:  
;example.com.                   IN      A  
  
;; ANSWER SECTION:  
example.com.            300     IN      A       1.1.1.1  
example.com.            300     IN      A       2.2.2.2

Record Type MX

Example command:

dig web.example.com MX

Example output:

; <<>> DiG 9.18.33 <<>> web.example.com MX  
;; global options: +cmd  
;; Got answer:  
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59604  
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1  
  
;; OPT PSEUDOSECTION:  
; EDNS: version: 0, flags:; udp: 4096  
;; QUESTION SECTION:  
;web.example.com.               IN      MX  
  
;; AUTHORITY SECTION:  
example.com.            900     IN      SOA     ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

The preceding example outputs show that the Type A record is configured but the MX record is missing. The missing MX record shows that a DNS record misconfiguration occurred during a DNS migration.

Review your previous DNS configuration and your setup in Route 53. Verify that you properly configured the following records in your new DNS provider's system:

A
CNAME
MX
TXT

Then, wait 24 to 48 hours for your DNS changes to propagate.

Troubleshoot complete resolution failure due to incorrect DNSSEC settings

When you transfer a domain out of an environment that uses DNSSEC, you might experience domain resolution failure. Verify that you properly configured DNSSEC in your new environment.

If the issue persists, then deactivate DNSSEC with your registrar and at the DNS provider level. Then, make sure that your new domain registrar supports DNSSEC, and then activate DNSSEC in your new environment.

Troubleshoot a blocked domain

Run the whois command to check your domain's registration status:

whois example-url.com

Note: Replace example-url.com with your URL.

If the output shows that your domain's status is a clientHold or serverHold status, then an administrator blocked your domain at the registrar level.

Example output:

   Domain Name: EXAMPLE-URL.COM  
   Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited  
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited  
   Domain Status: clientHold https://icann.org/epp#clientHold  
   Domain Status: serverHold https://icann.org/epp#serverHold

To unblock your domain, contact your administrator.

Related information

Making Amazon Route 53 the DNS service for an existing domain

Topics: Networking & Content Delivery
Tags: Amazon Route 53
Language: English

AWS OFFICIALUpdated 3 days ago

No comments

Relevant content

DNS Resolution Issue After Domain Transfer to Route 53
Accepted Answer
Lance
asked 6 months ago
DNS Propagation Issues with Domain Registered in Route 53 - No Propagation After 48 Hours
Accepted Answer
FelixNilo
asked 5 months ago
Email DNS Issues after Transfer to AWS Route 53
mackio
asked a year ago
Domain transferred to route53 but not propagated after five days
Accepted Answer
DAC
asked a year ago
DNS not propagating after domain transfer between two AWS account
daniele-imille
asked 3 years ago
How do I resolve DNS propagation delays and inconsistencies in Route 53?
AWS OFFICIALUpdated 6 days ago
How do I troubleshoot DNS resolution issues for a new subdomain in Route 53?
AWS OFFICIALUpdated 5 days ago
How do I transfer or register premium or unsupported domains with Route 53?
AWS OFFICIALUpdated a month ago
How do I troubleshoot DNS SERVFAIL issues?
AWS OFFICIALUpdated 2 years ago
Automate migrations of Amazon Route53 hosted zones between AWS accounts
EXPERT
Edoardo Tagliareni
published 9 months ago