[Dnsmasq-discuss] Adblock Ineffective: CNAME overriding the cache, making the blocklist ineffective

e ethern at riseup.net
Wed Sep 24 09:57:01 UTC 2025


> Short Summary
DNSMASQ failed to block the domain when queried by an internal CNAME
loop, result in overwritten cache & not obeying rules anymore.

> Summary
Many people, including some famous ad-blockers, use DNSMASQ to block
unwanted domains and its subdomains. 
They expect the software to actually block the request. However, it was
found that DNSMASQ failed to 
block the domain if it is pre-requested by CNAME via other FQDN. This
may result in information and privacy leakage.

> Steps to Reproduce

1. Add the following to your dnsmasq.conf or its conf-dird config file.
(The 'address=/line-apps.com/#' line is important here)

====
cache-rr=NS
cache-size=8000
dnssec-no-timecheck
domain-needed
filter-AAAA
filter-rr=AAAA,NS,MX,TXT,HTTPS,PTR,SRV
filterwin2k
local-ttl=3600
log-facility=/var/log/dnsmasq.log
log-queries
min-cache-ttl=3600
address=/line-apps.com/#
====

In my case;
conf-dir=/git_mirror/dnsbl,*.conf
/git_mirror/dnsbl/naver.conf has:
address=/line-apps-beta.com/#
address=/line-apps-rc.com/#
address=/line-apps.com/#
address=/line-beta.me/#
address=/line-cdn.net/#
address=/line-scdn.net/#

2. As root, Run "systemctl restart dnsmasq"

3. Run "dig ldblog-image-cdn.line-apps.com A", the answer SHOULD be
"0.0.0.0", which is correct.

4. Next, Run "dig livedoor.blogimg.jp A", the answer is CNAMEd
akamai.net IP address, which is correct.

5. Now, Run "dig ldblog-image-cdn.line-apps.com A" again.

> Expected Result

The answer of "dig ldblog-image-cdn.line-apps.com A" SHOULD be "0.0.0.0"
because of address=/line-apps.com/# rule.

> Actual Answer
ldblog-image-cdn.line-apps.com. 3567 IN CNAME  
blgimg.line-apps.com.akadns.net.
blgimg.line-apps.com.akadns.net. 3567 IN CNAME  livedoor.edgesuite.net.
livedoor.edgesuite.net. 3567    IN      CNAME   a1887.w73.akamai.net.
a1887.w73.akamai.net.   3567    IN      A       2.17.251.20
a1887.w73.akamai.net.   3567    IN      A       23.216.134.101

It is returning CNAMEd IP address and ignoring the
address=/line-apps.com/# rule.

> Expecting Solution
- The intenal CNAME request SHOULD NOT overwrite the cache.
- When the user query A/AAAA, DNSMASQ should look the cache with
appropriate query type, like:

[ Cache ]
ldblog-image-cdn.line-apps.com | A | 0.0.0.0 (By Rule)
ldblog-image-cdn.line-apps.com | AAAA | :: (By Rule)
ldblog-image-cdn.line-apps.com | CNAME(AutoQueried) |
blgimg.line-apps.com.akadns.net.
ldblog-image-cdn.line-apps.com | CNAME |
blgimg.line-apps.com.akadns.net.

"dig ldblog-image-cdn.line-apps.com A" must return "0.0.0.0",
"livedoor.blogimg.jp A" -CNAME->
"ldblog-image-cdn.line-apps.com|INTERNAL" -->
blgimg.line-apps.com.akadns.net



More information about the Dnsmasq-discuss mailing list