Search code examples
amazon-web-servicesgoogle-cloud-platformdnsoverlap

Overlapping delegated DNS zones with possible conflict

I currently experience a weird behavior regarding one of my DNS delegated zone where A records inside keep having NXDOMAIN statuses randomly (or after a while).

My configuration consist of 2 delegated secondary zones in GCP from a primary zone in AWS:

  • In AWS Route 53 in my domain.com zone:
sub.domain.com      NS  ns-cloud-d[1..4].googledomains.com.
dev.sub.domain.com  NS  ns-cloud-b[1..4].googledomains.com.
  • In GCP Cloud DNS in my sub.domain.com zone
sub.domain.com      NS  ns-cloud-d[1..4].googledomains.com. (auto-generated)
sub.domain.com      SOA ns-cloud-d1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300 (auto-generated)
app.sub.domain.com  A   x.x.x.x (prod instance IP)
  • In GCP Cloud DNS in my dev.sub.domain.com zone
dev.sub.domain.com      NS  ns-cloud-b[1..4].googledomains.com. (auto-generated)
dev.sub.domain.com      SOA ns-cloud-b1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300 (auto-generated)
app.dev.sub.domain.com  A   x.x.x.x (dev instance IP)

When trying to reach app.dev.sub.domain.com it works for some time and after a while, I got empty A record from dig with NXDOMAIN status.

Another behavior I experience sometimes (not consistently) is different answers from dig alternating between good response like this:

$ dig app.dev.sub.domain.com @8.8.8.8
[...]
;; ANSWER SECTION:
app.dev.sub.domain.com. 3590 IN A   x.x.x.x (instance IP)

and AUTHORITY response like that:

$ dig app.dev.sub.domain.com @8.8.8.8
[...]
;; AUTHORITY SECTION:
sub.domain.com. 28  IN  SOA ns-cloud-d1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300

Even if the 2nd response was bad, I was expecting to see the SOA for dev.sub.domain.com and not sub.domain.com so I'm wondering if there is some sort of conflict going on in my configuration? And if yes, what possible solutions exist? Very new to DNS setup so any help/advice appreciated. Thanks!

Solution

  • Your Route53 configuration for dev.sub.domain.com is wrong. Since you have delegated name servers for sub.domain.com, you cannot have another entry for dev.sub.domain.com. The lookup for dev.sub.domain.com will happen at sub.domain.com. The inconsistent lookup is caused by caching anomalies and client resolver bugs.

    Move the dev.sub.domain.com record to the DNS servers for sub.domain.com.