[dnsdist] Unexpected behavior with SpoofCNAMEAction
Eldon Koyle
ekoyle+dnsdist at gmail.com
Wed May 26 17:22:01 UTC 2021
Hi All,
I'm trying to spoof a CNAME reply to enforce safe search, but running
into unexpected behavior.
I have a rule like:
-- try to match all possible google TLDs, optionally with www.
addAction(RE2Rule("(www\\.)?google(\\.co)?\\.[a-z]+"),
SpoofCNAMEAction("forcesafesearch.google.com", {ttl=300}))
When visiting google.com, I see:
* client: google.com IN A ?
* dnsdist: google.com IN CNAME forcesafesearch.google.com
* client: forcesafesearch.google.com IN AAAA ?
* dnsdist: forcesafecearch.google.com IN AAAA 2001:4860:4802:32::78
The client only gets an AAAA record, and I am on an IPv4-only network,
so the client is unable to communicate.
It seems the client is expecting dnsdist to follow the CNAME and
return the target A record along with the CNAME in the first response
(which makes sense performance-wise, but I'm not sure whether it is
required by a standard).
Is there a way to tell dnsdist to follow the CNAME and return the
requested record type along with the spoofed CNAME?
I'm running dnsdist 1.6.0-1pdns.buster on debian from the powerdns
repos. The client library is bind9-libs 1:9.16.13-1 on debian.
--
Eldon
More information about the dnsdist
mailing list