How do I troubleshoot and resolve CNAME record resolution issues with private hosted zones and cross-account setups in AWS Route53?

Resolution

Configure DNS query logging in your virtual private cloud (VPC) and the hosted zone. Identify CNAME record resolution issues, and then take the following actions based on the issues that you find in your logs.

The CNAME targets don't have IPv6 support

When a CNAME record points to a resource without configured IPv6 addresses, DNS queries for AAAA records return a CNAME response without an IPv6 address. To resolve this issue, choose one of the following solutions based on your configuration.

Note: It's a best practice to test your changes in a non-production environment before you apply them to production.

Application Load Balancers

Update the IP address type of your Application Load Balancer to use both IPv4 and IPv6 addresses.

Amazon CloudFront distributions

Create an AAAA record in your hosted zone. Then, add your distribution's IPv6 addresses to the AAAA record.

The CNAME records don't resolve in private hosted zones

If your CNAME records don't resolve in a private hosted zone, take the following actions:

• Verify that you correctly configured the CNAME record in your private hosted zone. Make sure that the record points to the correct domain name or alias, and the record contains no extra suffixes or prefixes.
• Confirm that the DNS resolver settings in AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) forward queries to the correct Route 53 Resolver endpoints.
• Verify that your VPC security group rules allow inbound DNS traffic from AWS Managed Microsoft AD to the Route 53 Resolver endpoints. Then, verify that your rules allow outbound DNS traffic from the Route 53 Resolver endpoints to your managed active directory.

If you continue to experience the issue, then create a new private hosted zone, and reconfigure the DNS settings in your managed AD. Test the DNS resolution to verify that you resolved the issue.

The CNAME doesn't resolve across accounts

If your CNAME record points to an AWS resource and returns an "NXDOMAIN" error for specific AWS accounts, then take the following actions:

• Verify that you shared the domain's Resolver rule with your working and non-working accounts. For more information, see To view sharing status and share rules with another AWS account in Sharing Route 53 Resolver DNS Firewall rule groups between AWS accounts.
• Check private hosted zones in the non-working accounts for domains, subdomains, and root domains that overlap. For example, the domain p-southeast-1.amazonaws.com, the subdomain efs.ap-southeast-1.amazonaws.com, and the root domain amazonaws.com overlap.
• Resolve the CNAME value against the target IP addresses in your Resolver rule and then compare the behavior with the default VPC DNS resolver.

The DNS propagation is slow or fails

DNS propagation delays or failures can occur when you add or modify CNAME records in Route 53. If your name servers return "SERVFAIL" responses, then troubleshoot DNS propagation delays.

Check for existing records with the same name as your new or modified CNAME record. If a record exists with the same name, then lower the record's TTL (Time to Live) value. For more information, see Working with records.

Use one of the following DNS troubleshooting tools to trace the DNS resolution and identify failed name servers:

• The dig command.
• DNSViz on the DNSViz website.
• The Dig web interface online DNS lookup tool on the Dig web interface website.

If the issue affects only specific DNS resolvers, then contact your domain registrar for assistance.

The CNAME doesn't resolve because of DNS Firewall

If the Route 53 Resolver DNS Firewall allowlist doesn't contain the CNAME values in your VPC, then your CNAME records fail to resolve. Verify that the DNS Firewall allowlist contains the CNAME record that your domains points to. If it's missing, then add it to the list.

Note: After you update the rule group, wait a few minutes for the changes to propagate.

For more information, see How Route 53 Resolver DNS Firewall works.

Troubleshoot and resolve other DNS-related issues

If you experience partial or intermittent DNS failures, then see How does DNS work, and how do I troubleshoot partial or intermittent DNS failures?

Check the health status of your Route 53 Resolver endpoints. If your health check fails, then see How can I troubleshoot unhealthy Route 53 health checks? Check the network connectivity between the DNS resolver and the endpoints. Make sure that the necessary ports are open in your security groups and network access control list (network ACL). For more information, see  How do I troubleshoot DNS resolution issues with Route 53 Resolver endpoints?

If your issue relates to a specific resource or instance, then check that the instance's network interface settings, security group rules, and DNS settings are correct.

Related information

Resolving DNS queries between VPCs and your network

Considerations when working with a private hosted zone