[Dnsmasq-discuss] Adblock Ineffective: CNAME overriding the cache, making the blocklist ineffective

a atraben at riseup.net
Thu Sep 25 22:35:23 UTC 2025


"Have you tried whether Pi-hole has the same problem? It should not!

Background: Pi-hole FTL does not only embed dnsmasq but also extends it.
Among others, we add a feature we call "deep CNAME inspection" that
traverses the entire CNAME path (even multi-level) and short-circuit as
soon as something to be blocked has been found. This is then cached for
the *original* query so any new query can be blocked right away without
having to walk the CNAME path again. Unfortunately, deep CNAME
inspection as a feature is not easily portable to dnsmasq as it relies
on the respective information to be available in a binary search-tree.
Surely not impossible to either ring this into a form that could be
embedded directly or bring the tree into dnsmasq, but those are tasks we
have no manpower for and I doubt anyone else could really do that at
this point in time. If such a big rewrite would be accepted by the
dnsmasq maintainer is another question. I'd rather tend towards a "no".

Re your comment about being ignored by dnsmasq maintainers: Note that
dnsmasq is maintained solely by Simon Kelley. Only he is authoritative
for what happens and what not. We all know there are people on the
mailing list that act like they'd have something to say but, ultimately,
they don't. It is just difficult to reach Simon, even for us that know
him for years. Eventually, he appears and replies but there are also
months of silence. That's nothing unusual at all for dnsmasq.

Hope that answers your question.
Dominik"

FYI, Pi-hole and DNSCrypt seems to have CNAME filtering. Guess I need to
switch to it if you don't fix this security issue.



More information about the Dnsmasq-discuss mailing list