CNAME flattening

George Thessalonikefs george at nlnetlabs.nl
Tue Jun 7 15:05:10 UTC 2022


Hi Dimitris,

Since I see you mention firewall together with DNS maybe the contributed 
ipset module could be useful in your case 
(https://github.com/NLnetLabs/unbound/blob/master/doc/README.ipset.md).

Best regards,
-- George

On 07/06/2022 16:59, Dimitris Chryssanthakopoulos via Unbound-users wrote:
> Thank you all for your suggestions
> 
> I'll try to work with messages instead of cache tables and see where 
> this gets me
> 
> 
> With Best Regards,
> 
> Dimitris Chryssanthakopoulos
> 
> IT Manager
> 
> 
> 
> As Agents Only
> 
> 367, Syngrou Av. | 175 64 Athens | Greece
> 
> tel: +30 210 9402001 |   fax: +30 210 9402430
> 
> Website: www.kassian.gr <http://www.kassian.gr/>
> 
> 
> 
> On Mon, Jun 6, 2022 at 7:16 PM Carsten Strotmann <carsten at strotmann.de 
> <mailto:carsten at strotmann.de>> wrote:
> 
>     Hi Dimitris,
> 
>     On 6 Jun 2022, at 18:01, Dimitris Chryssanthakopoulos via
>     Unbound-users wrote:
> 
>      > Let me illustrate by an example, comparing what I get now and
>     what I want
>      >
>      > to get (what NextDNS does with "CNAME flattening"):
> 
>     "CNAME flattening" is a feature that is part of some authoritative
>     server products. It is not part of the DNS protocol, and it is
>     nothing that a DNS resolver such as Unbound can do.
> 
>      >
>      > normally, I query for "gravityzone.bitdefender.com
>     <http://gravityzone.bitdefender.com>" and I get a reply that:
>      >
>      > \- "gravityzone.bitdefender.com
>     <http://gravityzone.bitdefender.com>" is a CNAME for
>     "someserver.on.amazon.aws",
>      >
>      > AND
>      >
>      > \- "someserver.on.amazon.aws" has A record "212.216.124.1", AND
>      >
>      > \- "someserver.on.amazon.aws" has A record "212.216.124.33"
>      >
>      > what I need is to query for "gravityzone.bitdefender.com
>     <http://gravityzone.bitdefender.com>" and get a reply:
>      >
>      > \- "gravityzone.bitdefender.com
>     <http://gravityzone.bitdefender.com>" has A record "212.216.124.1", AND
>      >
>      > \- "gravityzone.bitdefender.com
>     <http://gravityzone.bitdefender.com>" has A record "212.216.124.33"
>      >
>      > When querying NextDNS, with CNAME Flattening enabled in Settings
>     (far right
>      >
>      > tab of setup WebGUI) the second scenario occurs. The reason I ask
>     here is
>      >
>      > that I understand NextDNS use Unbound.
>      >
>      > The DNS replies from Unbound will be used in my router to create
>     dynamic
>      >
>      > firewall rules. If I get regular DNS replies, I have to figure
>     out the
>      >
>      > CNAME chain myself with scripting on my router, which is too
>     slow. (Often,
>      >
>      > the CNAME chain is longer, and I need to recursively check a tree
>     of CNAME
>      >
>      > records and A records.)
>      >
>      > If I get DNS replies like the second scenario, it is reasonably
>     fast to run
>      >
>      > a few statements for every entry in the router's DNS cache (for A
>     records
>      >
>      > only). In other words, I want to offload some processing from the
>     router to
>      >
>      > Unbound. Hope this clarifies.
> 
>     To reach your goal, I recommend to filter out all the CNAME
>     responses and only process the A/AAAA Record responses.
> 
>     A DNS resolver (such as Unbound) will return all CNAME entries in
>     the chain, as well as the final address records (if they exist).
> 
>     A (simple/naive) scripting solution could be
> 
>     dig gravityzone.bitdefender.com <http://gravityzone.bitdefender.com>
>     +short | grep -E  '([0-9]{1,3}[\.]){3}[0-9]{1,3}'
> 
>     Greetings
> 
>     Carsten
> 


More information about the Unbound-users mailing list