"Have you tried whether Pi-hole has the same problem? It should not! Background: Pi-hole FTL does not only embed dnsmasq but also extends it. Among others, we add a feature we call "deep CNAME inspection" that traverses the entire CNAME path (even multi-level) and short-circuit as soon as something to be blocked has been found. This is then cached for the *original* query so any new query can be blocked right away without having to walk the CNAME path again. Unfortunately, deep CNAME inspection as a feature is not easily portable to dnsmasq as it relies on the respective information to be available in a binary search-tree. Surely not impossible to either ring this into a form that could be embedded directly or bring the tree into dnsmasq, but those are tasks we have no manpower for and I doubt anyone else could really do that at this point in time. If such a big rewrite would be accepted by the dnsmasq maintainer is another question. I'd rather tend towards a "no".
Re your comment about being ignored by dnsmasq maintainers: Note that dnsmasq is maintained solely by Simon Kelley. Only he is authoritative for what happens and what not. We all know there are people on the mailing list that act like they'd have something to say but, ultimately, they don't. It is just difficult to reach Simon, even for us that know him for years. Eventually, he appears and replies but there are also months of silence. That's nothing unusual at all for dnsmasq. Hope that answers your question. Dominik" FYI, Pi-hole and DNSCrypt seems to have CNAME filtering. Guess I need to switch to it if you don't fix this security issue. _______________________________________________ Dnsmasq-discuss mailing list [email protected] https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
