Fwd:

Dimitris Chryssanthakopoulos ice at kassian.gr
Mon Jun 6 16:01:08 UTC 2022 

BTW, sorry for posting without a subject, it was by accident...


Let me illustrate by an example, comparing what I get now and what I want
to get  (what NextDNS does with "CNAME flattening"):

normally, I query for "gravityzone.bitdefender.com" and I get a reply that:

 - "gravityzone.bitdefender.com" is a CNAME for "someserver.on.amazon.aws",
AND
 - "someserver.on.amazon.aws" has A record "212.216.124.1", AND
 - "someserver.on.amazon.aws" has A record "212.216.124.33"

what I need is to query for "gravityzone.bitdefender.com" and get a reply:

 - "gravityzone.bitdefender.com" has A record "212.216.124.1", AND
 - "gravityzone.bitdefender.com" has A record "212.216.124.33"

When querying NextDNS, with CNAME Flattening enabled in Settings (far right
tab of setup WebGUI) the second scenario occurs. The reason I ask here is
that I understand NextDNS use Unbound.

The DNS replies from Unbound will be used in my router to create dynamic
firewall rules. If I get regular DNS replies, I have to figure out the
CNAME chain myself with scripting on my router, which is too slow. (Often,
the CNAME chain is longer, and I need to recursively check a tree of CNAME
records and A records.)

If I get DNS replies like the second scenario, it is reasonably fast to run
a few statements for every entry in the router's DNS cache (for A records
only). In other words, I want to offload some processing from the router to
Unbound. Hope this clarifies.

Thank you.


With Best Regards,

Dimitris Chryssanthakopoulos

T Manager



As Agents Only

367, Syngrou Av. | 175 64 Athens | Greece

tel: +30 210 9402001 |   fax: +30 210 9402430

Website: www.kassian.gr


On Mon, Jun 6, 2022 at 5:10 PM Felipe Gasper <felipe at felipegasper.com>
wrote:

>
> > On Jun 6, 2022, at 09:57, Dimitris Chryssanthakopoulos via Unbound-users
> <unbound-users at lists.nlnetlabs.nl> wrote:
> >
> > Dear Unbound-Users,
> >
> >
> > I am trying to do with Unbound what NextDNS calls "CNAME Flattening":
> >
> >  - when a request is made for a public host I want an A record for that
> name, even if
> > strictly speaking it is a CNAME. Is that possible with the available
> settings?
> >
> > To avoid confusion, Unbound may chase the CNAME chain properly (to avoid
> > poisoning etc) but it must reply to the original requestor only with an A
> > record.
>
> CNAME flattening is how libunbound always works, as far as I can tell:
> when you request an A record, Unbound will internally resolve all CNAME
> records.
>
> For example, “www.felipegasper.com”’s CNAME is “felipegasper.com”. When I
> query for CNAMEs, I get the CNAME:
>
> > perl -MDNS::Unbound -E'say join ".", unpack "(C/a)*" for
> DNS::Unbound->new()->resolve("www.felipegasper.com", "CNAME")->data()->@*'
> felipegasper.com.
>
> When I query for A records, though, I just get IPs:
>
> > perl -MDNS::Unbound -E'say join ".", unpack "C*" for
> DNS::Unbound->new()->resolve("www.felipegasper.com", "A")->data()->@*'
> 172.241.25.87
>
> -FG
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220606/45a68975/attachment.htm>

More information about the Unbound-users mailing list