DEV Community

Cover image for When Private DNS Just Won’t Resolve: Debugging VPC-to-Hosted Zone Issues in AWS
Manoj
Manoj

Posted on

When Private DNS Just Won’t Resolve: Debugging VPC-to-Hosted Zone Issues in AWS

If you’ve worked with AWS VPCs and Route 53, I bet you’ve used or at least come across Private Hosted Zones. They’re incredibly useful when you want to create internal-only DNS records like resolving db.internal to an internal IP.

But what happens when your EC2 instance refuses to resolve the domain, even though everything seems to be wired up correctly?

That’s exactly what I faced recently, and this post is a quick walkthrough of what went wrong and how to fix it.

🔍 The Problem

I had:

  1. A Private Hosted Zone in Route 53 (say, myinternal.local)
  2. A VPC attached to that hosted zone
  3. An EC2 instance launched inside that VPC
  4. DNS record like api.myinternal.local created in the zone But inside the EC2 instance:
ping api.myinternal.local
Enter fullscreen mode Exit fullscreen mode

It gave me:

ping: unknown host api.myinternal.local
Enter fullscreen mode Exit fullscreen mode

⚙️ Root Cause (What Was Missing)

After debugging, the issue boiled down to two missing or misconfigured pieces:

  1. DNS Hostnames or DNS Support Disabled

If your VPC doesn't have DNS resolution and DNS hostnames enabled, the private DNS resolution will silently fail.

You can check and fix this from the VPC → Actions → Edit DNS Resolution/Hostnames in the AWS Console or use the CLI:

aws ec2 modify-vpc-attribute --vpc-id vpc-xxxxxx --enable-dns-support "{\"Value\":true}" aws ec2 modify-vpc-attribute --vpc-id vpc-xxxxxx --enable-dns-hostnames "{\"Value\":true}"
Enter fullscreen mode Exit fullscreen mode
  1. Instance Launched in Wrong Subnet or VPC

Make sure your EC2 instance is in the same VPC that’s attached to the private hosted zone.

Route 53 private hosted zones don’t resolve from any instance — they only resolve from the specific VPC(s) they're associated with.

🧪 How I Debugged It

Here's how I approached the problem:

Tested with dig and nslookup:

dig api.myinternal.local
Enter fullscreen mode Exit fullscreen mode

This gave me no answer section, confirming DNS resolution was failing completely.

Verified /etc/resolv.conf on the EC2 instance:
It was using AmazonProvidedDNS (i.e., .2 address), so the default resolver was correct.

Checked VPC settings:
DNS support and DNS hostnames were disabled by default on this VPC.

Re-enabled those flags and restarted networking on the EC2 instance:

 sudo systemctl restart network
Enter fullscreen mode Exit fullscreen mode

DNS resolution magically started working.

Top comments (0)