Unbound's CNAME chasing causing Microsoft domains resovled to abroad CDN

[sorz]

I have a Unbound server with dnsmasq-china-list configured as forward zones. Recently I found that despite they are in the list and have domestic CDNs, some domains were still resolved to abroad CDNs (e.g. www.microsoft.com).

$ dig www.microsoft.com +short  # Local Unbound server w/ dnsmasq-china-list
www.microsoft.com-c-3.edgekey.net.
www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net.
e13678.dscb.akamaiedge.net.
23.207.174.4  # Japan Akamai

$ dig www.microsoft.com @114.114.114.114 +short
www.microsoft.com-c-3.edgekey.net.
www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net.
e13678.ca2.s.tl88.net.
27.148.139.88  # ChinaNet

According to the section Forward Zone Options, unbound.conf(5) and NLnetLabs/unbound#132

CNAMEs are chased by Unbound itself, asking the remote server for every name in the indirection chain, to protect the local cache from illegal indirect referenced items.

So the issue seems to be: Unbound re-resolve CNAMEs by itself with its configuration, while www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net. is not matched by dnsmasq-china-list, so it goes to the default (aboard) DNS resolver.

My questions are:

• Does intermediate CDN domains qualified to be in the list?
• If yes, in which level of such domains should be in the list, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net., edgekey.net.globalredir.akadns.net., or even broader one?

For now, I just added globalredir.akadns.net. forward zone in my Unbound config and it solved the Microsoft case at least. Although I'm a little bit nervous about leaking my foreign websites access log to local ISP and… I'm less worry about false positive since the DNS polluting are less common on CDN's CNAME domains (are they?) and they just go to proxy anyway under my network setup.

[felixonmars]

• Does intermediate CDN domains qualified to be in the list?

Yes, and they already do (you can find many apple's akadns target in apple.china.conf, for example). Some of them even come from the time when I use unbound myself. I generally accept submissions for them but as long as I use dnsmasq or smartdns, I don't need it myself and won't be able to observe more instances like this. I'll still be accepting these contributions.

• If yes, in which level of such domains should be in the list, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net., edgekey.net.globalredir.akadns.net., or even broader one?

To be on the safe side, I would prefer to maintain only www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net. level aliases as they can be easily verified and (semi) auto-removed when they are no longer applicable.

[sorz]

How about www.microsoft.com-c-3.edgekey.net.? It doesn't meet neither of the two criteria so we leave them out?

[felixonmars]

No, it's also the direct CNAME target of www.microsoft.com and could be included as well.

[sorz]

Oh yes, the criteria of "resolving to mainland China IPs in China but not outside China" goes for the final A records, not for the intermediate CNAME records.