We ran into this a few weeks ago as well, after having worked perfectly for a year or more. Setup is unbound, as site resolver, forwarding netflix domain requests to a bind instance that strips AAAA responses. After some digging with tcpdump, found, as did the original poster, that some of the netflix responses were now cnames to aws, and other, domains. These are then resolved in the usual way and AAAA responses are returned breaking netflix. We fixed it by getting unbound to forward the specific cname destinations to the bind stripping instance. This has been working, for us, for a couple of weeks now. We are located in Northern Britain and obviously the cnames returned will be region specific. Just thought I'd list the domains/hosts we are forwarding for AAAA stripping in case this helps anyone else.
netflix.com.
netflix.net.
nflxext.com.
nflximg.net.
nflximg.com.
nflxvideo.net.
nflxso.net.
e13252.dscg.akamaiedge.net.
dualstack.ichnaea-vpc0-1803858966.eu-west-1.elb.amazonaws.com.
dualstack.beaconserver-ce-vpc0-1537565064.eu-west-1.elb.amazonaws.com.
dualstack.wwwservice2--frontend-san-vpc0-138074574.eu-west-1.elb.amazonaws.com.
dualstack.wwwservice--frontend-san-vpc0-445693027.eu-west-1.elb.amazonaws.com.
dualstack.ichnaea-web-323206729.eu-west-1.elb.amazonaws.com.
Really sucks that we have to jump through hoops like this to watch content we've paid for especially as netflix lists our /48 as being from the UK!!!!