Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unbound refused to resolve long CNAME chain

    DHCP and DNS
    2
    4
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      johnnyxwan
      last edited by

      I am experiencing a few domains with long DNS CNAME chain and unbound returns SERVFAIL when resolving those. With the popularity of using CDN, long CNAME is more common to see. The problem is also described here:
      https://github.com/NLnetLabs/unbound/issues/438

      As mentioned in the above GitHub issue thread. The current default value is really arbitrarily low. There is a pull request related to this issue in unbound GitHub as well. Hopefully it will be merged soon. It will be good to see pfSense made this setting in the GUI as well.
      https://github.com/NLnetLabs/unbound/pull/461

      Not sure if anyone else experienced this issue. Hope to see your thoughts.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @johnnyxwan
        last edited by johnpoz

        there is a redmine tracking this

        https://redmine.pfsense.org/issues/11595

        edit: as jimp mentions in the redmine this is upstream and doesn't seem to be a way to edit the unbound.conf to change that setting. So unless unbound exposes this in the conf to be configured, will have to wait til they fix it upstream and pfsense can then use that version of unbound.

        As a work around, you should be able to setup a domain override pointing resolution of that domain to some other NS, say 8.8.8.8 or 1.1.1.1

        I don't seem to be having the issue here either.. Tested with that specific domain logincdn.msauth.net and it resolves fine. But it comes back with less than 8 cnames (only 6 chained cnames for me). Which is a freaking LOT and - don't care if cdn or not, that is horrible practice to have that many cnames chained. Stupid MS.. if you ask me..

        Personally I have not run into anything like this - where something hasn't been able to resolve that was not related to the NS for that domain being down, etc.

        While it is an interesting problem.. And I would assume unbound will up their cname limits, that many is not good dns practice if you ask me. If your chaining them at all you should really rethink your dns strategy ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        J 1 Reply Last reply Reply Quote 1
        • J
          johnnyxwan @johnpoz
          last edited by

          @johnpoz I found that thread as well, but it didn't mention the pull request I mentioned. In that pull request, a setting is exposed where it is possible for pfSense to put into the GUI when it is merged.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @johnnyxwan
            last edited by johnpoz

            There you go - once that is done, and the new version becomes available downstream.. If there is just a setting to up it. Then either pfsense can add it to the gui in the form of a number you set, or as with some of the more advanced unbound stuff you can just put it in the option box.

            Until that time the domain override should work for domains you run into such an issue with.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.