Answer
The short answer to your specific question of listing CNAMEs is that you cannot without permission to do zone transfers (see How to list all CNAME records for a given domain?).
That said, if your company's DNS server still supports the ANY query, you can use dig to list the other records by doing:
dig +noall +answer +multiline yourdomain.yourtld any
These ... +noall +answer +multiline ... are strictly optional and are simply output formatting flags to make the output more easily human readable (see dig man page ).
Example
$ dig +noall +answer +multiline bad.horse any
Returns:
bad.horse. 7200 IN A 162.252.205.157
bad.horse. 7200 IN CAA 0 issue "letsencrypt.org"
bad.horse. 7200 IN CAA 0 iodef "mailto:abuse@sandwich.net"
bad.horse. 7200 IN MX 10 mx.sandwich.net.
bad.horse. 7200 IN NS a.sn1.us.
bad.horse. 7200 IN NS b.sn1.us.
bad.horse. 7200 IN SOA a.sn1.us. n.sn1.us. (
2017032202 ; serial
1200 ; refresh (20 minutes)
180 ; retry (3 minutes)
1209600 ; expire (2 weeks)
60 ; minimum (1 minute)
)
Caveats (RFC8482)
Note that, since around 2019, most public DNS servers have stopped answering most DNS ANY queries usefully. For background on that, see: https://blog.cloudflare.com/rfc8482-saying-goodbye-to-any/
If ANY queries do not enumerate multiple records, the only option is to request each record type (e.g. A, CNAME, or MX) individually.
Because you will configure the S3 bucket to send a 301 redirect to www.example.com if you follow Amazon's directions, you will wind up with SSL certificate warnings if someone uses the non-www form. As far as I can tell, Amazon provides no way for you to provide your SSL certificate in this circumstance.
DNSimple has a different implementation which, instead of sending a 301 redirect, sends visitors directly to the IP address of the Heroku app (which, presumably, they look up dynamically). This works as long as Heroku is expecting it.
Best Answer
I guess I just solved the problem. I added a CNAME for the www subdomain plus a PageRule to forward requests made to it.