[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[public-dns-discuss] Amazon Route 53 issues this morning

Many individuals reported issues with domains this morning; to minimize noise on this list, I will not be posting those messages, since they were all symptoms of a general issue where domains hosted on Amazon Route 53 were not resolvable from Google Public DNS for several hours this morning.

The issue tracker for this problem has the following:

From status.aws.amazon.com:

5:19 AM PDT We are investigating reports of problems resolving some DNS records hosted on Route53 using the third party DNS resolvers and . DNS resolution using other third-party DNS resolvers or DNS resolution from within EC2 instances using the default EC2 resolvers are not affected at this time.

5:49 AM PDT We have identified the cause for an elevation in DNS resolution errors using third party DNS resolvers / and are working towards resolution. DNS resolution using other third-party DNS resolvers or DNS resolution from within EC2 instances using the default EC2 resolvers continues to work normally.

6:10 AM PDT Between 4:05 AM PDT and 5:56 AM PDT, some customers may have experienced elevated errors resolving DNS records hosted on Route 53 using DNS resolvers / . The issue has been resolved and the service is operating normally.

In light of today's outage between Google Public DNS and Amazon Route 53 (and previous outages like Dyn's in November 2016), domain owners should consider the following:

Internet standard recommend that all DNS domains and zones should have at least two different nameservers running in each of at least two different Autonomous System (AS) routing zones (https://tools.ietf.org/html/rfc1537#section-6).

Although Amazon Route53 does not support AXFR/IXFR standard DNS primary/secondary configurations, you can use the alternative "multiple master" or "split authority" configuration, where you have two (or more) independent DNS services that are kept in synchronization from another source.

There are several DNS-specific tools to synchronize multiple DNS services, from Netflix’s Denominator, StackExchange’s DNSControl, and GitHub’s OctoDNS to Men & Mice’s commercial xDNS. You can also use HashiCorp’s Terraform to manage multiple DNS providers as well as many other cloud resources.

All of these support many different DNS providers and DNS name server software such as BIND. The support for specific record types and features varies by provider (and tool). DNSControl has a useful feature matrix (https://stackexchange.github.io/dnscontrol/provider-list) showing support for specific features.

The following list of DNS providers and software shows the support by different tools as of November 2017,

AWS Route 53: Denominator, DNSControl, OctoDNS, Terraform
Azure: OctoDNS, Terraform
BIND: DNSControl, Terraform(RFC2136)
CloudFlare: DNSControl, OctoDNS, Terraform
Digitalocean: DNSControl, Terraform
DNSimple: DNSControl, OctoDNS, Terraform
DnsMadeEasy: Terraform
Dyn: Denominator, OctoDNS, Terraform
Gandi: DNSControl
Google Cloud DNS: DNSControl, OctoDNS, Terraform
Knot: Terraform(RFC2136)
Microsoft Active Directory: DNSControl, OctoDNS
Namecheap: DNSControl
Name.com: DNSControl
NS1: DNSControl, OctoDNS, Terraform
OpenStack Designate: Denominator
PowerDNS: OctoDNS, Terraform
Rackspace Cloud DNS: Denominator
SoftLayer: DNSControl
UltraDNS: Denominator, Terraform
Vultr: DNSControl

Terraform can use RFC 2136 DNS Update to make changes to existing zones, but not to provision entirely new ones.

If you need support for another DNS provider, there are GitHub repositories for all the open source tools. Denominator is written in Java, OctoDNS is written in Python, and DNSControl and Terraform are written in Go.


You received this message because you are subscribed to the Google
Groups "public-dns-discuss" group.
To post to this group, send email to public-dns-discuss AT googlegroups.com
To unsubscribe from this group, send email to
public-dns-discuss+unsubscribe AT googlegroups.com
For more options, visit this group at
For more information on Google Public DNS, please visit
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
For more options, visit https://groups.google.com/d/optout.