[dnsdist] Unexpected behavior with SpoofCNAMEAction

Eldon Koyle ekoyle+dnsdist at gmail.com
Wed May 26 17:22:01 UTC 2021

Hi All,

I'm trying to spoof a CNAME reply to enforce safe search, but running
into unexpected behavior.

I have a rule like:
    -- try to match all possible google TLDs, optionally with www.
SpoofCNAMEAction("forcesafesearch.google.com", {ttl=300}))

When visiting google.com, I see:
    * client: google.com IN A ?
    * dnsdist:  google.com IN CNAME forcesafesearch.google.com
    * client: forcesafesearch.google.com IN AAAA ?
    * dnsdist: forcesafecearch.google.com IN AAAA 2001:4860:4802:32::78

The client only gets an AAAA record, and I am on an IPv4-only network,
so the client is unable to communicate.

It seems the client is expecting dnsdist to follow the CNAME  and
return the target A record along with the CNAME in the first response
(which makes sense performance-wise, but I'm not sure whether it is
required by a standard).

Is there a way to tell dnsdist to follow the CNAME and return the
requested record type along with the spoofed CNAME?

I'm running dnsdist 1.6.0-1pdns.buster on debian from the powerdns
repos.  The client library is bind9-libs 1:9.16.13-1 on debian.


More information about the dnsdist mailing list