browse
Overview
This KBA is targeted at users of DNS caching servers where DNS resolution does not match expected policy and reporting for CNAME record domains. Example DNS caching servers include BIND with caching enabled and Infoblox.
Impact
The observed impact is DNS resolution that does not match policy of DNS records where an allowed A-record request is answered by a CNAME reference to another A-record on a different, blocked domain.
For example, domain.com is allowed and blocked.com is blocked and domain.com is a CNAME record pointing to blocked.com which has an A-record. The issue will present itself as an allowed domain being blocked with no such event logged on the Dashboard.
Cause
The root cause of this issue is DNS caching for CNAME records pointing to a different domain, where the target domain is blocked. Since the domain is allowed, the Umbrella resolvers will flag the entire query as allowed, carrying down the CNAME chain. This results in an allowed query.
Since different domains vary in TTL, and Umbrella block records for malicious categories have a TTL of zero, caching will interfere.
Here we will use the scenario where domain.com is allowed and blocked.com is blocked and domain.com is a CNAME record pointing to blocked.com which has an A-record.
Initial query:
A-record for domain.com: Allow list, CNAME for blocked.com -> A-record query for blocked.com, coming from a CNAME, allow bit passed inside Umbrella - A-record for blocked.com returned.
Analysis: Queries made to Umbrella: domain.com -> blocked.com. Result: Allowed. Umbrella logs domain.com as allowed, blocked.com as allowed.
Subsequent Query:
A-record for domain.com: CACHED - it's a CNAME for blocked.com -> A-record query for blocked.com: CACHED - A-record for blocked.com returned.
Analysis: Queries made to Umbrella: None. No Umbrella logs.
Future query (triggers the issue):
A-record for domain.com: CACHED - it's a CNAME for blocked.com -> A-record query for blocked.com (standalone query - CNAME was cached) - blocked.
Analysis: Queries made to Umbrella: blocked.com. Result: Blocked. Umbrella logs blocked.com as blocked.
Resolution
There are several methods to resolve this impact:
- Disable DNS caching for DNS forwarded to Umbrella. This will prevent this issue from occurring.
- Allow the target CNAME in the Umbrella Dashboard as they arise.
- Avoid caching the CNAME record type or selectively not cache impacted domains reactively.