CNAME flattening
Carsten Strotmann
carsten at strotmann.de
Mon Jun 6 16:16:26 UTC 2022
Hi Dimitris,
On 6 Jun 2022, at 18:01, Dimitris Chryssanthakopoulos via Unbound-users wrote:
> Let me illustrate by an example, comparing what I get now and what I want
>
> to get (what NextDNS does with "CNAME flattening"):
"CNAME flattening" is a feature that is part of some authoritative server products. It is not part of the DNS protocol, and it is nothing that a DNS resolver such as Unbound can do.
>
> normally, I query for "gravityzone.bitdefender.com" and I get a reply that:
>
> \- "gravityzone.bitdefender.com" is a CNAME for "someserver.on.amazon.aws",
>
> AND
>
> \- "someserver.on.amazon.aws" has A record "212.216.124.1", AND
>
> \- "someserver.on.amazon.aws" has A record "212.216.124.33"
>
> what I need is to query for "gravityzone.bitdefender.com" and get a reply:
>
> \- "gravityzone.bitdefender.com" has A record "212.216.124.1", AND
>
> \- "gravityzone.bitdefender.com" has A record "212.216.124.33"
>
> When querying NextDNS, with CNAME Flattening enabled in Settings (far right
>
> tab of setup WebGUI) the second scenario occurs. The reason I ask here is
>
> that I understand NextDNS use Unbound.
>
> The DNS replies from Unbound will be used in my router to create dynamic
>
> firewall rules. If I get regular DNS replies, I have to figure out the
>
> CNAME chain myself with scripting on my router, which is too slow. (Often,
>
> the CNAME chain is longer, and I need to recursively check a tree of CNAME
>
> records and A records.)
>
> If I get DNS replies like the second scenario, it is reasonably fast to run
>
> a few statements for every entry in the router's DNS cache (for A records
>
> only). In other words, I want to offload some processing from the router to
>
> Unbound. Hope this clarifies.
To reach your goal, I recommend to filter out all the CNAME responses and only process the A/AAAA Record responses.
A DNS resolver (such as Unbound) will return all CNAME entries in the chain, as well as the final address records (if they exist).
A (simple/naive) scripting solution could be
dig gravityzone.bitdefender.com +short | grep -E '([0-9]{1,3}[\.]){3}[0-9]{1,3}'
Greetings
Carsten
More information about the Unbound-users
mailing list