How do I troubleshoot CNAME record resolution issues when I use a conditional forwarder in my Windows DNS server?

4 minute read
0

When I use a conditional forwarder in my Windows Server DNS server or the AWS Directory Service DNS setting, I experience CNAME record resolution issues.

Short description

When you use a Windows DNS server or AWS Directory Service and its conditional forwarder in the following environments, CNAME record resolution issues occur:

  • The Windows DNS server that's in a private on-premises setting uses a conditional forwarder to send a DNS query to Amazon Route 53 resolver's inbound endpoint.
  • The Windows DNS server in a private Amazon Virtual Private Cloud (VPC) setting uses the conditional forwarder to send a DNS query to a Route 53 resolver.

Resolution

The DNS client receives a NOERROR response but can't resolve the CNAME record value that's on a private hosted zone

This issue occurs when the Windows DNS server has a conditional forwarder for the CNAME record (cname.example.com) but not for the CNAME record value (example.net).

When the Windows DNS server forwards a query to Amazon Route 53, the Route 53 resolver resolves cname.example.com and example.net and responds with an A record. This response is cached on the Windows DNS server, based on the time to live (TTL) for each record. When the DNS server has a valid cache for cname.example.com but an expired cache for example.net, then the DNS server returns only the CNAME record value. For more information on how the Route 53 resolver manages CNAME queries, see CNAME records in Best practices for Amazon Route 53 DNS.

The following example outputs show the different conditional forwarder configurations.

Hosted zones information

Public Hosted Zone (example.com)  
cname.example.com CNAME Simple - No example.net 300  
  
Private Hosted Zone (example.net)  
example.net A Simple - No 10.0.0.100 10 - - -

Initial dig query with a conditional forwarder that's created for only cname.example.com with no cache for records

$ dig cname.example.com. +noedns +noquestion

; <<>> DiG 9.16.48-RH <<>> cname.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38053 <- NOERROR response
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:
cname.example.com. 300 IN CNAME example.net.
example.net. 10 IN A 10.0.0.100 <- A record IP address of example.net

;; Query time: 10 msec
;; SERVER: 10.0.0.53#53(10.0.0.53) <- a client's own Windows DNS server
;; WHEN: Sat Mar 09 22:11:34 UTC 2024
;; MSG SIZE rcvd: 110

Dig query with a conditional forwarder that's created for only cname.example.com with valid cache for only cname.example.com

$ dig cname.example.com. +noedns +noquestion

; <<>> DiG 9.16.48-RH <<>> cname.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47918 <- NOERROR response
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:
cname.example.com. 280 IN CNAME example.net. <- No IP address returned

;; Query time: 0 msec <- Query time is 0 because it's a cache response
;; SERVER: 10.0.0.53#53(10.0.0.53) <- a client's own Windows DNS server
;; WHEN: Sat Mar 09 22:11:54 UTC 2024
;; MSG SIZE rcvd: 94

Dig query with a conditional forwarder that's created for both records

$ dig cname.example.com. +noedns +noquestion

; <<>> DiG 9.16.48-RH <<>> cname.example.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38153 <- NOERROR response
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:
cname.example.com. 280 IN CNAME example.net.
example.net. 10 IN A 10.0.0.100 <- A record IP address of example.net

;; Query time: 10 msec
;; SERVER: 10.0.0.53#53(10.0.0.53) <- a client's own Windows DNS server
;; WHEN: Sat Mar 09 22:11:54 UTC 2024
;; MSG SIZE rcvd: 110

To resolve the issue, take the following actions:

Note: To resolve private hosted zone records, set the enableDNSHostnames and enableDnsSupport attributes to True on your Amazon VPC.

AWS OFFICIAL
AWS OFFICIALUpdated 18 days ago