CNAME flattening
George Thessalonikefs
george at nlnetlabs.nl
Tue Jun 7 15:05:10 UTC 2022
Hi Dimitris,
Since I see you mention firewall together with DNS maybe the contributed
ipset module could be useful in your case
(https://github.com/NLnetLabs/unbound/blob/master/doc/README.ipset.md).
Best regards,
-- George
On 07/06/2022 16:59, Dimitris Chryssanthakopoulos via Unbound-users wrote:
> Thank you all for your suggestions
>
> I'll try to work with messages instead of cache tables and see where
> this gets me
>
>
> With Best Regards,
>
> Dimitris Chryssanthakopoulos
>
> IT Manager
>
>
>
> As Agents Only
>
> 367, Syngrou Av. | 175 64 Athens | Greece
>
> tel: +30 210 9402001 | fax: +30 210 9402430
>
> Website: www.kassian.gr <http://www.kassian.gr/>
>
>
>
> On Mon, Jun 6, 2022 at 7:16 PM Carsten Strotmann <carsten at strotmann.de
> <mailto:carsten at strotmann.de>> wrote:
>
> Hi Dimitris,
>
> On 6 Jun 2022, at 18:01, Dimitris Chryssanthakopoulos via
> Unbound-users wrote:
>
> > Let me illustrate by an example, comparing what I get now and
> what I want
> >
> > to get (what NextDNS does with "CNAME flattening"):
>
> "CNAME flattening" is a feature that is part of some authoritative
> server products. It is not part of the DNS protocol, and it is
> nothing that a DNS resolver such as Unbound can do.
>
> >
> > normally, I query for "gravityzone.bitdefender.com
> <http://gravityzone.bitdefender.com>" and I get a reply that:
> >
> > \- "gravityzone.bitdefender.com
> <http://gravityzone.bitdefender.com>" is a CNAME for
> "someserver.on.amazon.aws",
> >
> > AND
> >
> > \- "someserver.on.amazon.aws" has A record "212.216.124.1", AND
> >
> > \- "someserver.on.amazon.aws" has A record "212.216.124.33"
> >
> > what I need is to query for "gravityzone.bitdefender.com
> <http://gravityzone.bitdefender.com>" and get a reply:
> >
> > \- "gravityzone.bitdefender.com
> <http://gravityzone.bitdefender.com>" has A record "212.216.124.1", AND
> >
> > \- "gravityzone.bitdefender.com
> <http://gravityzone.bitdefender.com>" has A record "212.216.124.33"
> >
> > When querying NextDNS, with CNAME Flattening enabled in Settings
> (far right
> >
> > tab of setup WebGUI) the second scenario occurs. The reason I ask
> here is
> >
> > that I understand NextDNS use Unbound.
> >
> > The DNS replies from Unbound will be used in my router to create
> dynamic
> >
> > firewall rules. If I get regular DNS replies, I have to figure
> out the
> >
> > CNAME chain myself with scripting on my router, which is too
> slow. (Often,
> >
> > the CNAME chain is longer, and I need to recursively check a tree
> of CNAME
> >
> > records and A records.)
> >
> > If I get DNS replies like the second scenario, it is reasonably
> fast to run
> >
> > a few statements for every entry in the router's DNS cache (for A
> records
> >
> > only). In other words, I want to offload some processing from the
> router to
> >
> > Unbound. Hope this clarifies.
>
> To reach your goal, I recommend to filter out all the CNAME
> responses and only process the A/AAAA Record responses.
>
> A DNS resolver (such as Unbound) will return all CNAME entries in
> the chain, as well as the final address records (if they exist).
>
> A (simple/naive) scripting solution could be
>
> dig gravityzone.bitdefender.com <http://gravityzone.bitdefender.com>
> +short | grep -E '([0-9]{1,3}[\.]){3}[0-9]{1,3}'
>
> Greetings
>
> Carsten
>
More information about the Unbound-users
mailing list