Spent a few hours sleuthing a client email issue today as their postfix server was unable to deliver email. Postfix rules appeared ok and the email would eventually be delivered within 1 to 2 hours.

Postfix was reporting: “Host or domain name not found. Name service error for name=emaildomain.com type=AAAA: Host not found”

Explored the option that possibly BIND was trying to use IPv6 because of the AAAA notification. Looked through their server config and IPv6 is disabled. Possibly BIND is still trying to access IPv6? That was a dead end.

From a teminal:

nslookup emaildomain.com

Would return as NXDOMAIN.

Looked in to routing issues with AWS and BIND and why the AWS DNS servers were not responding properly. Set the BIND forwarders to forward to OpenDNS as well as Google’s 8.8.8.8. Still nothing. Externally the domain resolves fine, internally BIND is not able to resolve the domain. Why?

Turns out the FQDN that we were pointing to is a CNAME to an AWS Network Load Balancer. As per Route53 documentation (https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html), “To route domain traffic to an ELB load balancer, use Amazon Route 53 to create an alias record that points to your load balancer. An alias record is a Route 53 extension to DNS. It’s similar to a CNAME record, but you can create an alias record both for the root domain, such as example.com, and for subdomains, such as www.example.com.”

Removing the CNAME that we were routing to and replacing it with an alias record solved the issue for internal access, and it’s quicker for external look ups as there is no longer a double looking CNAME, and then resolve CNAME to IP. As a bonus, the Route53 record creation tool walked through the set up beautifully and was straightforward connecting the NLB.

Problem solved!