CNAME flattening

Dimitris Chryssanthakopoulos ice at kassian.gr
Tue Jun 7 14:59:31 UTC 2022


Thank you all for your suggestions

I'll try to work with messages instead of cache tables and see where this
gets me


With Best Regards,

Dimitris Chryssanthakopoulos

IT Manager



As Agents Only

367, Syngrou Av. | 175 64 Athens | Greece

tel: +30 210 9402001 |   fax: +30 210 9402430

Website: www.kassian.gr


On Mon, Jun 6, 2022 at 7:16 PM Carsten Strotmann <carsten at strotmann.de>
wrote:

> Hi Dimitris,
>
> On 6 Jun 2022, at 18:01, Dimitris Chryssanthakopoulos via Unbound-users
> wrote:
>
> > Let me illustrate by an example, comparing what I get now and what I want
> >
> > to get (what NextDNS does with "CNAME flattening"):
>
> "CNAME flattening" is a feature that is part of some authoritative server
> products. It is not part of the DNS protocol, and it is nothing that a DNS
> resolver such as Unbound can do.
>
> >
> > normally, I query for "gravityzone.bitdefender.com" and I get a reply
> that:
> >
> > \- "gravityzone.bitdefender.com" is a CNAME for
> "someserver.on.amazon.aws",
> >
> > AND
> >
> > \- "someserver.on.amazon.aws" has A record "212.216.124.1", AND
> >
> > \- "someserver.on.amazon.aws" has A record "212.216.124.33"
> >
> > what I need is to query for "gravityzone.bitdefender.com" and get a
> reply:
> >
> > \- "gravityzone.bitdefender.com" has A record "212.216.124.1", AND
> >
> > \- "gravityzone.bitdefender.com" has A record "212.216.124.33"
> >
> > When querying NextDNS, with CNAME Flattening enabled in Settings (far
> right
> >
> > tab of setup WebGUI) the second scenario occurs. The reason I ask here is
> >
> > that I understand NextDNS use Unbound.
> >
> > The DNS replies from Unbound will be used in my router to create dynamic
> >
> > firewall rules. If I get regular DNS replies, I have to figure out the
> >
> > CNAME chain myself with scripting on my router, which is too slow.
> (Often,
> >
> > the CNAME chain is longer, and I need to recursively check a tree of
> CNAME
> >
> > records and A records.)
> >
> > If I get DNS replies like the second scenario, it is reasonably fast to
> run
> >
> > a few statements for every entry in the router's DNS cache (for A records
> >
> > only). In other words, I want to offload some processing from the router
> to
> >
> > Unbound. Hope this clarifies.
>
> To reach your goal, I recommend to filter out all the CNAME responses and
> only process the A/AAAA Record responses.
>
> A DNS resolver (such as Unbound) will return all CNAME entries in the
> chain, as well as the final address records (if they exist).
>
> A (simple/naive) scripting solution could be
>
> dig gravityzone.bitdefender.com +short | grep -E
> '([0-9]{1,3}[\.]){3}[0-9]{1,3}'
>
> Greetings
>
> Carsten
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220607/c3b8e6a4/attachment.htm>


More information about the Unbound-users mailing list