DEV Community

Warren Parad for Authress Engineering Blog

Posted on • Updated on

My DNS doesn't work

Making changes to DNS looks easy, but in the end something almost always goes wrong. Worst of all it is never really clear what the problem is or how to fix it.

I've been waiting a long time for Route53 to propagate my DNS changes.

You've likely changed your NS records, switched providers, or hosted zones, but your www or apex domain still isn't resolving.

How long is a long time, I've found on average (assuming minimal TTL for records) that resolution will work in 3 minutes. That's right if it isn't working in 3 minutes, you did something wrong. Sorry to be the bearer of bad news. (This number isn't true for Indian DNS, I don't what it is about Indian DNS, but frequently it can take over 24 hours for an update to propagate).

Let's say it has been an hour and you are still waiting. Me at this point, I would have already been clicking a 100 different things, how you managed to wait a whole hour is medal worthy. You have the patience of virtue, congrats.

So what's wrong?

Let's check to see what dig says:

Enter fullscreen mode Exit fullscreen mode

What do you get back, if you get back 4 NS DNS values, great, if they match your hosted zone, even better.
Correct Response

;; ANSWER SECTION:        172800  IN  NS        172800  IN  NS        172800  IN  NS        172800  IN  NS
Enter fullscreen mode Exit fullscreen mode

But if you get this:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48896
Enter fullscreen mode Exit fullscreen mode

Or this:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2693
Enter fullscreen mode Exit fullscreen mode

Then you know your domain name configuration (NOT the hosted zone) is incorrectly configured.

Go back and copy your hosted zone NS values TO your Domain name configuration. FROM AWS Route53 TO Domain Configuration. (For some reason hosted zone providers let you change your NS, why is beyond me, and this is always wrong) Do Not Change your NS record values in your zone configuration. You are looking to change the property called Name Servers of your Domain Registration.

But they ARE the same already

The problem likely stems from the fact that you might have copied the wrong direction. Instead of updating your domain with the hosted zone data, you updated the hosted zone removing the correct NS values. As I mentioned above this could be the case. The simplest solution is delete the hosted zone and start over. But if you are intent on keeping it, you could try to recover the real NS values, using your Cloud Provider. For instance, with AWS Route53:

aws route53 get-hosted-zone --id ZONE
Enter fullscreen mode Exit fullscreen mode

Will return:

DelegationSet: {
  NameServers: [
Enter fullscreen mode Exit fullscreen mode

Set these values in both locations.

Subdomain issues

My production domain ( works but the subdomain ( does not.

  1. Create a hosted zone named
  2. Copy the NS records from that new hosted zone
  3. Go to the production hosted zone (named:
  4. Create an NS record:
Name: ""
Type: "NS"
Value: "NS Values from Sub Hosted Zone"
Enter fullscreen mode Exit fullscreen mode

Issue with resolving with

Sometimes the issue is just that not all DNS are resolving correctly. If dig domain NS @ works, but dig domain NS @ does not and you get this following error:

; EDE: 22 (No Reachable Authority): (at delegation
; EDE: 23 (Network Error): ( rcode=REFUSED for NS)
Enter fullscreen mode Exit fullscreen mode

You can likely fix it by going to

Extending this to Certificates

Even once your domain works, certificates using DNS validation might still not work correctly. Certificates get validated using DNS records, these records need to be configured correctly in a hosted zone that works.

If we followed the steps above then we have a working hosted zone, now we need to make sure the correct validation records are added.

The first step is to validate that the records are working. To do this we can run dig VALIDATION_RECORD CNAME. By doing so we should get back the related CNAME value. If we don't get back the value then that means either record doesn't exist or the hosted zone isn't correctly configured.

One small note here, is that for every additional part of the domain we have, there could be a different hosted zone being used. Make sure that dig SUBDOMAIN NS matches the NS records of your hosted zone you are using. If the don't match then you aren't looking at the correct subdomain hosted zone.

In the case that you have the domain there could three different hosted zones:

  • One for
  • One for
  • One for

Creating Certificates for the part-1 subdomain could mean needing to validate that all three hosted zones are configured correctly.

Note: if you only have one hosted zone, then you don't need to do this, BUT, if you have three hosted zones and:

  • is configured as a NS in the hosted zone (that is there is a NS with the record name in the hosted zone)
  • and is configured as a NS in the hosted zone (that is there is a NS with the record name in the hosted zone)

That means you need to validate all of these. Consequentially, validating that dig CERTIFICATE_DOMAIN CNAME works will validate all of them. But if one of them doesn't work, then you'll need ot deep dive.

Come join our Community and discuss this and other security related topics!

Top comments (0)