CNAME flattening

In the DNS world, CNAME functionality has always been a thorny issue. I remember having long discussions with Simon Kelley (creator of dnsmasq that runs on hundreds of millions of routers) on this topic. It’s a powerful feature that is subject to creating all sorts of problems.

One of the key mitigations in dnsmaq to avoid CNAME runaway recursion (when in authoritative mode), for example, the CNAME value DNS name must be known to dnsmasq from /etc/hosts (or additional hosts files).

Cloudflare offers CNAME flattening at the root of domains for which they are authoritative.

When DNS filtering is an important part of a network’s security posture, the CNAME treatment is an essential component, even from our typical caching resolver stance.

CNAME flattening by default

Since version 4, in adam:ONE® all CNAME responses are flattened. The override option is with the following config file entry:

disable-cname-flattening

The live log at mytools.management/log as well as all log levels will only show the final result unless CNAME flattening is disabled.

Checking CNAMEs against Rules

Since version 4, all CNAMEs are still independently checked against the rule, also customizable. From the version 4 documentation:

--cname-checking
    specify a way to check cnames against lists: none, all, allowlistonly, 
    blocklistonly. This overrides a controller setting.

The default value, when not specified is blocklistonly, referring to Blocklist Policy. When a parent domain is resolved in an Allowlist policy, CNAMEs are not checked against rules only the FQDN in the query itself. To change the behaviour, the above setting can be changed in the muscle configuration file.