Aws Route 53 CloudFront DNS_PROBE_FINISHED_NXDOMAIN

Question

I am trying to deploy a cloudfront distribution and a dns record to point to a static s3 website of mine. The first time I visit the website the dns resolution works as expected but if i try to refresh the tab I get a DNS_PROBE_FINISHED_NXDOMAIN. If I open it again on a new tab it again works. Any ideas why this could be happening?

  CloudFrontOriginAccessIdentity:
    Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: !Ref S3Bucket
  RootDNS:
    Type: 'AWS::Route53::RecordSetGroup'
    Properties:
      HostedZoneId: ____________________
      RecordSets:
        - Name: "example.org"
          Type: A
          AliasTarget:
            HostedZoneId: Z2FDTNDATAQYW2
            DNSName: !GetAtt Distribution.DomainName
  AddSecurityHeadersFunction:
    Type: AWS::CloudFront::Function
    Properties:
      Name: add-security-headers
      AutoPublish: true
      FunctionConfig:
        Comment: Adds security headers to the response
        Runtime: cloudfront-js-1.0
      FunctionCode: |
        function handler(event) {
            var response = event.response;
            var headers = response.headers;

            // Set HTTP security headers
            // Since JavaScript doesn't allow for hyphens in variable names, we use the dict["key"] notation
            headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'};
            headers['content-security-policy'] = { value: "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'"};
            headers['x-content-type-options'] = { value: 'nosniff'};
            headers['x-frame-options'] = {value: 'DENY'};
            headers['x-xss-protection'] = {value: '1; mode=block'};

            // Return the response to viewers
            return response;
        }

  Distribution:
    Type: AWS::CloudFront::Distribution
    DependsOn: CloudFrontOriginAccessIdentity
    Properties:
      DistributionConfig:
        Aliases:
          - "example.org"
        Enabled: true
        HttpVersion: http2
        PriceClass: PriceClass_100
        ViewerCertificate:
          AcmCertificateArn: "arn:aws:acm:us-east-1:635435538491:certificate/____________"
          MinimumProtocolVersion: TLSv1.1_2016
          SslSupportMethod: sni-only
        DefaultRootObject: index.html
        DefaultCacheBehavior:
          ForwardedValues:
            QueryString: false
          AllowedMethods:
            - HEAD
            - GET
            - OPTIONS
          Compress: true
          DefaultTTL: 86400
          ViewerProtocolPolicy: redirect-to-https
          TargetOriginId: Bucket
          FunctionAssociations:
            - EventType: viewer-response
              FunctionARN: !GetAtt AddSecurityHeadersFunction.FunctionMetadata.FunctionARN
        Origins:
          - Id: Bucket
            DomainName: !GetAtt S3Bucket.DomainName
            S3OriginConfig:
              OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}'