0

fonts.gstatic.com wrong record lookup

Hey guys,

I noticed a domain, which is getting a A and AAAA record as a lookup, but is normally a CNAME record. As CNAME Flatting is disabled for my configuration, so i think this is a bug.

Normally this would be the request:

dig CNAME +additional fonts.gstatic.com. @9.9.9.9
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> CNAME +additional fonts.gstatic.com. @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54410
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;fonts.gstatic.com.INCNAME

;; ANSWER SECTION:
fonts.gstatic.com.285INCNAMEgstaticadssl.l.google.com.

;; Query time: 21 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sun Aug 29 08:01:37 2021
;; MSG SIZE  rcvd: 71

But the cname domain is not looked up at NextDNS:

 

I think its a generell problem with cnames since I have tested more CNAME records and all result in this. The problem with this is, that cname blocking isn't working correctly. "gstaticadssl.l.google.com." is on every energized list. So far it should be blocked, if you have picked the list. Currently it doesn't block.

2replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • The logs show the queried type, not the response record type. If you dig nextdns with this domain you should get a CNAME too.

    Like 1
  • Thanks for the clarification. That was new for me. Then there is still a but with cname blocking and energized lists. "gstaticadssl.l.google.com" is still on the blocklists and is a cname of "fonts.gstatic.com".  And it is not blocked if I choose one of the energized lists. i would expect the cname blocking to work in this case.

    Like
Like Follow
  • 3 wk agoLast active
  • 2Replies
  • 27Views
  • 2 Following