Unbound refused to resolve long CNAME chain
-
I am experiencing a few domains with long DNS CNAME chain and unbound returns SERVFAIL when resolving those. With the popularity of using CDN, long CNAME is more common to see. The problem is also described here:
https://github.com/NLnetLabs/unbound/issues/438As mentioned in the above GitHub issue thread. The current default value is really arbitrarily low. There is a pull request related to this issue in unbound GitHub as well. Hopefully it will be merged soon. It will be good to see pfSense made this setting in the GUI as well.
https://github.com/NLnetLabs/unbound/pull/461Not sure if anyone else experienced this issue. Hope to see your thoughts.
-
there is a redmine tracking this
https://redmine.pfsense.org/issues/11595
edit: as jimp mentions in the redmine this is upstream and doesn't seem to be a way to edit the unbound.conf to change that setting. So unless unbound exposes this in the conf to be configured, will have to wait til they fix it upstream and pfsense can then use that version of unbound.
As a work around, you should be able to setup a domain override pointing resolution of that domain to some other NS, say 8.8.8.8 or 1.1.1.1
I don't seem to be having the issue here either.. Tested with that specific domain logincdn.msauth.net and it resolves fine. But it comes back with less than 8 cnames (only 6 chained cnames for me). Which is a freaking LOT and - don't care if cdn or not, that is horrible practice to have that many cnames chained. Stupid MS.. if you ask me..
Personally I have not run into anything like this - where something hasn't been able to resolve that was not related to the NS for that domain being down, etc.
While it is an interesting problem.. And I would assume unbound will up their cname limits, that many is not good dns practice if you ask me. If your chaining them at all you should really rethink your dns strategy ;)
-
@johnpoz I found that thread as well, but it didn't mention the pull request I mentioned. In that pull request, a setting is exposed where it is possible for pfSense to put into the GUI when it is merged.
-
There you go - once that is done, and the new version becomes available downstream.. If there is just a setting to up it. Then either pfsense can add it to the gui in the form of a number you set, or as with some of the more advanced unbound stuff you can just put it in the option box.
Until that time the domain override should work for domains you run into such an issue with.