CNAME forward lookup failing
Hello there,
I am not sure if this is a bug or not but I am starting to be clueless. I am using a high availibity Pihole-KRESD combination for external lookups to have an ad-free network.
So far it works perfectly without many user intervention but today I stumbled into a strange behaviour of Knot Resolver as it seems not to follow all CNAMEs of a domain.
Lookup via Pi-hole + KRESD always give me following lookup:
dig go.zextras.com @192.168.20.105
; <<>> DiG 9.16.1-Ubuntu <<>> go.zextras.com @192.168.20.105
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59509
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;go.zextras.com. IN A
;; ANSWER SECTION:
go.zextras.com. 39957 IN CNAME go.pardot.com.
go.pardot.com. 2859 IN CNAME pi.pardot.com.
pi.pardot.com. 523 IN A 127.0.0.1
;; Query time: 10 msec
;; SERVER: 192.168.20.105#53(192.168.20.105)
;; WHEN: Mon Oct 25 12:02:20 CEST 2021
;; MSG SIZE rcvd: 100
The correct answer should be:
dig go.zextras.com @9.9.9.9
; <<>> DiG 9.16.1-Ubuntu <<>> go.zextras.com @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1953
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;go.zextras.com. IN A
;; ANSWER SECTION:
go.zextras.com. 43200 IN CNAME go.pardot.com.
go.pardot.com. 3602 IN CNAME pi.pardot.com.
pi.pardot.com. 300 IN CNAME pi-ue1.pardot.com.
pi-ue1.pardot.com. 900 IN CNAME pi.t.pardot.com.
pi.t.pardot.com. 30 IN CNAME pi-ue1-lba2.pardot.com.
pi-ue1-lba2.pardot.com. 36 IN A 52.21.178.134
;; Query time: 260 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Mon Oct 25 12:03:28 CEST 2021
;; MSG SIZE rcvd: 166
To be totally sure I have also queried all of the DNS servers I have set up within kresd.conf. Everyone is giving me the right answer.
As mentioned: I am not sure if this is a Knot Resolver bug or if there is kind of a config parameter (e.g. just follow x CNAME else return 127.0.0.1).
My current configuration of KRESD would be:
-- Default empty Knot DNS Resolver configuration in -*- lua -*-
-- Switch to unprivileged user --
user('knot-resolver','knot-resolver')
-- Unprivileged
-- cache.size = 100*MB
net.listen('127.0.0.1', 5555)
net.listen('192.168.20.105', 5555)
modules = {
'policy',
'view',
'hints',
'serve_stale < cache',
'workarounds < iterate',
'stats',
'predict'
}
--Accept all requests from these subnets
view:addr('127.0.0.1/8', function (req, qry) return policy.PASS end)
view:addr('192.168.10.0/24', function (req, qry) return policy.PASS end)
view:addr('192.168.20.0/24', function (req, qry) return policy.PASS end)
view:addr('192.168.101.0/24', function (req, qry) return policy.PASS end)
-- Drop everything that hasn't matched
view:addr('0.0.0.0/0', function (req, qry) return policy.DROP end)
policy.add(policy.all(policy.TLS_FORWARD({
-- {'80.241.218.68', hostname='fdns1.dismail.de'},
-- {'159.69.114.157', hostname='fdns2.dismail.de'},
-- {'89.233.43.71', hostname='unicast.censurfridns.dk'},
-- {'91.239.100.100', hostname='anycast.censurfridns.dk'},
{'46.182.19.48', hostname='dns2.digitalcourage.de'},
{'176.9.93.198', hostname='dnsforge.de'},
})))
predict.config({ window = 20, period = 72 })