Unbound's CNAME chasing causing Microsoft domains resovled to abroad CDN #487
Comments
Yes, and they already do (you can find many apple's akadns target in apple.china.conf, for example). Some of them even come from the time when I use unbound myself. I generally accept submissions for them but as long as I use dnsmasq or smartdns, I don't need it myself and won't be able to observe more instances like this. I'll still be accepting these contributions.
To be on the safe side, I would prefer to maintain only |
|
How about |
|
No, it's also the direct CNAME target of |
|
Oh yes, the criteria of "resolving to mainland China IPs in China but not outside China" goes for the final A records, not for the intermediate CNAME records. |
I have a Unbound server with dnsmasq-china-list configured as forward zones. Recently I found that despite they are in the list and have domestic CDNs, some domains were still resolved to abroad CDNs (e.g.
www.microsoft.com).According to the section Forward Zone Options,
unbound.conf(5)and NLnetLabs/unbound#132So the issue seems to be: Unbound re-resolve CNAMEs by itself with its configuration, while
www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net.is not matched by dnsmasq-china-list, so it goes to the default (aboard) DNS resolver.My questions are:
www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net.,edgekey.net.globalredir.akadns.net., or even broader one?For now, I just added
globalredir.akadns.net.forward zone in my Unbound config and it solved the Microsoft case at least. Although I'm a little bit nervous about leaking my foreign websites access log to local ISP and… I'm less worry about false positive since the DNS polluting are less common on CDN's CNAME domains (are they?) and they just go to proxy anyway under my network setup.The text was updated successfully, but these errors were encountered: