CNAME for upstream DNS

eduararley · April 20, 2020, 5:13pm

I'm trying to setup safe search on duckduckgo.com. According to their documentation here, I should add an alias for duckduckgo.com, pointing to safe.duckduckgo.com.

I'm thinking on doing this using a CNAME. However, I see my config only works for local domains, and it's not working with domains from upstream DNS servers.

This is my dnsmasq config:

root@OpenWrt:~# uci show dhcp.dnsmasq_kids
dhcp.dnsmasq_kids=dnsmasq
dhcp.dnsmasq_kids.domainneeded='1'
dhcp.dnsmasq_kids.localise_queries='1'
dhcp.dnsmasq_kids.rebind_protection='1'
dhcp.dnsmasq_kids.expandhosts='1'
dhcp.dnsmasq_kids.readethers='1'
dhcp.dnsmasq_kids.nonwildcard='1'
dhcp.dnsmasq_kids.localservice='1'
dhcp.dnsmasq_kids.local='/lan/'
dhcp.dnsmasq_kids.domain='lan'
dhcp.dnsmasq_kids.interface='kids'
dhcp.dnsmasq_kids.notinterface='loopback'
dhcp.dnsmasq_kids.authoritative='1'
dhcp.dnsmasq_kids.addnhosts='/etc/hosts.d'
dhcp.dnsmasq_kids.logqueries='1'
dhcp.dnsmasq_kids.server='208.67.222.123' '208.67.220.123'

root@OpenWrt:~# uci show dhcp.cname_duck
dhcp.cname_duck=cname
dhcp.cname_duck.cname='duckduckgo.com'
dhcp.cname_duck.target='safe.duckduckgo.com'

With this config, CNAME doesn't seems to work:

user@pc:~$ dig +noall +answer duckduckgo.com A @192.168.201.1
duckduckgo.com.		19	IN	A	107.20.240.232

However, if i make this change:

root@OpenWrt:~# uci show dhcp.cname_duck
dhcp.cname_duck=cname
dhcp.cname_duck.cname='duckduckgo.com'
dhcp.cname_duck.target='openwrt.lan'

Then it works:

user@pc:~$ dig +noall +answer duckduckgo.com A @192.168.201.1
duckduckgo.com.		0	IN	CNAME	OpenWrt.lan.
OpenWrt.lan.		0	IN	A	192.168.201.1

I'm using OpenWrt 18.06.8.

Any suggestion about what to do to implement this kind of aliases?

trendy · April 20, 2020, 7:10pm

You'll need to also add an A record like

config domain
       option name 'safe.duckduckgo.com'
       option ip '107.20.240.232'

eduararley · April 21, 2020, 11:34pm

OK, I understand. However, that means I won't be using the A records from duckduckgo, which could change, and also implements redundancy and failover. I would be just stuck with one IP address. I know the risk is not too high for their IP address to change, but maybe a better option exists.

Isn't there any way to instruct dnsmasq to resolve the CNAME record alone, but relay the A record to upstream servers?

trendy · April 22, 2020, 7:39am

I wasn't able to find something else and I am not able to reproduce it exactly as I am not using the dnsmasq in OpenWrt for anything other than local addresses.
I hope that someone else might be able to help you more.