Hi Dimitris,

On 6 Jun 2022, at 18:01, Dimitris Chryssanthakopoulos via Unbound-users wrote:

> Let me illustrate by an example, comparing what I get now and what I want
>
> to get (what NextDNS does with "CNAME flattening"):

"CNAME flattening" is a feature that is part of some authoritative server 
products. It is not part of the DNS protocol, and it is nothing that a DNS 
resolver such as Unbound can do.

>
> normally, I query for "gravityzone.bitdefender.com" and I get a reply that:
>
> \- "gravityzone.bitdefender.com" is a CNAME for "someserver.on.amazon.aws",
>
> AND
>
> \- "someserver.on.amazon.aws" has A record "212.216.124.1", AND
>
> \- "someserver.on.amazon.aws" has A record "212.216.124.33"
>
> what I need is to query for "gravityzone.bitdefender.com" and get a reply:
>
> \- "gravityzone.bitdefender.com" has A record "212.216.124.1", AND
>
> \- "gravityzone.bitdefender.com" has A record "212.216.124.33"
>
> When querying NextDNS, with CNAME Flattening enabled in Settings (far right
>
> tab of setup WebGUI) the second scenario occurs. The reason I ask here is
>
> that I understand NextDNS use Unbound.
>
> The DNS replies from Unbound will be used in my router to create dynamic
>
> firewall rules. If I get regular DNS replies, I have to figure out the
>
> CNAME chain myself with scripting on my router, which is too slow. (Often,
>
> the CNAME chain is longer, and I need to recursively check a tree of CNAME
>
> records and A records.)
>
> If I get DNS replies like the second scenario, it is reasonably fast to run
>
> a few statements for every entry in the router's DNS cache (for A records
>
> only). In other words, I want to offload some processing from the router to
>
> Unbound. Hope this clarifies.

To reach your goal, I recommend to filter out all the CNAME responses and only 
process the A/AAAA Record responses.

A DNS resolver (such as Unbound) will return all CNAME entries in the chain, as 
well as the final address records (if they exist).

A (simple/naive) scripting solution could be

dig gravityzone.bitdefender.com +short | grep -E  
'([0-9]{1,3}[\.]){3}[0-9]{1,3}'

Greetings

Carsten
  • [no subject] Dimitris Chryssanthakopoulos via Unbound-users
    • Re: Felipe Gasper via Unbound-users
      • Fwd: Dimitris Chryssanthakopoulos via Unbound-users
        • Re: Felipe Gasper via Unbound-users
        • Re: CNAME fla... Carsten Strotmann via Unbound-users
          • Re: CNAME ... Dimitris Chryssanthakopoulos via Unbound-users
            • Re: C... George Thessalonikefs via Unbound-users

Reply via email to