Adguardhome: CNAME Flattering server-side support

Created on 14 Jan 2021  ·  2Comments  ·  Source: AdguardTeam/AdGuardHome

Hello,

let's discuss the possibility of implementing CNAME flattering server-side support. This is necessary for reduce and speed up DNS lookups via disabling ANAME support and block RFC compliant CNAME records at a root domains (CNAME cloaking in this context, i suppose🤨). More information here:
https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/
https://kinsta.com/blog/reduce-dns-lookups/
https://news.ycombinator.com/item?id=24974033

This is also already implemented in NextDNS. Correct me if I misunderstand anything🤔

Thank you!
Cheers🥳

Low feature request
Source
picture ammnt
👍4 🚀1

Most helpful comment

Another case would be is Firefox. Firefox when used with DoH, will chase CNAME's just like unbound.

From one of the dev's that worked on Firefox's initial DoH implementation.

The code is aware of CNAME records and will “chase” them down and use the final A/AAAA entry with its TTL as if there were no CNAMEs present and store that in the in-memory DNS cache. This initial approach, at least, does not cache the intermediate CNAMEs nor does it care about the CNAME TTL values.
https://daniel.haxx.se/blog/2018/06/03/inside-firefoxs-doh-engine/

CNAME chasing brings in a new problem if you use DNS rewrites. AGH doesn't rewrite CNAME domains but with CNAME chasing, Firefox will query the CNAME directly, get rewritten records and merge them records initially handed out by AGH. As an unintended consequence of its action, CNAME is now rewritten.

This can be problematic when you don't want CNAME's to be rewritten. One example is if you add AAAA records to *.github.io it will break github pages on custom domains as they CNAME to username.github.io and the IPv6 load balancer doesn't have the required certs causing Firefox to throw SSL cert error. CNAME flattening would help solve this problem.

For this reason, I suggest that this feature request to be prioritized a little more than nice to have

picture emlimap on 17 Jan 2021
👍3 🚀1

All 2 comments

This only makes sense in the case when unbound is used on a router which is really rare.

So I'd say it's a "nice-to-have" feature, not too important.

ameshkov picture ameshkov on 15 Jan 2021
👍1

Another case would be is Firefox. Firefox when used with DoH, will chase CNAME's just like unbound.

From one of the dev's that worked on Firefox's initial DoH implementation.

The code is aware of CNAME records and will “chase” them down and use the final A/AAAA entry with its TTL as if there were no CNAMEs present and store that in the in-memory DNS cache. This initial approach, at least, does not cache the intermediate CNAMEs nor does it care about the CNAME TTL values.
https://daniel.haxx.se/blog/2018/06/03/inside-firefoxs-doh-engine/

CNAME chasing brings in a new problem if you use DNS rewrites. AGH doesn't rewrite CNAME domains but with CNAME chasing, Firefox will query the CNAME directly, get rewritten records and merge them records initially handed out by AGH. As an unintended consequence of its action, CNAME is now rewritten.

This can be problematic when you don't want CNAME's to be rewritten. One example is if you add AAAA records to *.github.io it will break github pages on custom domains as they CNAME to username.github.io and the IPv6 load balancer doesn't have the required certs causing Firefox to throw SSL cert error. CNAME flattening would help solve this problem.

For this reason, I suggest that this feature request to be prioritized a little more than nice to have

emlimap picture emlimap on 17 Jan 2021
👍3 🚀1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ameshkov picture ameshkov  ·  3Comments
snhv picture snhv  ·  3Comments
ajongsma picture ajongsma  ·  3Comments
AnthonyBe picture AnthonyBe  ·  3Comments
ammnt picture ammnt  ·  4Comments