Currently, there is a note in the CNAME entry page stating the below:
Note:
The target of a CNAME must be a domain that the Pi-hole already has in its cache or is authoritative for. This is a universal limitation of CNAME records.
The reason for this is that Pi-hole will not send additional queries upstream when serving CNAME replies. As consequence, if you set a target that isn't already known, the reply to the client may be incomplete. Pi-hole just returns the information it knows at the time of the query. This results in certain limitations for CNAME targets, for instance, only active DHCP leases work as targets - mere DHCP leases aren't sufficient as they aren't (yet) valid DNS records.
Additionally, you can't CNAME external domains ( bing.com to google.com ) successfully as this could result in invalid SSL certificate errors when the target server does not serve content for the requested domain.
The point of SSL not being valid is true, but support for this is needed for split DNS configurations. The note says it is a universal limitation of CNAME, but my Windows DNS server can clearly recursively resolve non authoritative requests as shown below. Can this be implemented in Pi-hole?
Background on use case:
I have a local lan domain and a valid DNS domain. Many of the services I host are accessible via the internet using Cloudflare Tunnels. The public DNS entry points to the tunnel. The lan domain has the windows server as the authoritative domain and pihole has a custom override to send all requests to this domain to the windows server. Since cloudflare cannot to AXFR transfers to other DNS servers, I cannot configure windows server as a forwarding DNS and override certain subdomains to the local ones. It has to be done on pihole. Now, pihole has a public subdomain -> local subdomain CNAME, but without me explicitly adding the local subdomain to IP mapping, it just does not work. Meaning I need to maintain DNS records in two places, the windows server and Pi-hole. The DNS entries are added to the Windows server using external-dns over RFC 2136 dynamic DNS updates which the Pi-hole does not support (planning to add this as a new feature request too since Pi-hole can be a one stop replacement for all DNS servers).
Pi-hole embeds and extends the DNS forwarding server dnsmasq (link). It cannot do what you are asking for because it is designed to not be recursive. We wouldn't make such a change using Pi-hole extensions as the necessary massive rewrite of code would inevitably break compatibility with future updates of dnsmasq. The same holds true for your second request (external-dns).
I'd suggest you direct your feature request to the official dnsmasq mailing list (dnsmasq-discuss@lists.thekelleys.org.uk, see also here). Whenever the dnsmasq project implements what you are asking for, it will be contained in the next Pi-hole release.
Understood, I thought maybe Pi-hole hooks into dnsmasq somehow to be able to manipulate it. Will raise this with dnsmasq or more probably look into alternative ways once the HTTP JSON API is finally available
example.com is what you want to have partial authority over. Forward it to bind9
02-dns-server.conf:
server=/example.com/172.31.255.251
Bind9
There are 3 files we bind mount to the bind9 container.
db.rpz: Contains the list of entries to override. Two sample entries provided below. Replace them as needed.
$TTL 60
@ IN SOA localhost. root.localhost. (
2015112501 ; serial
1h ; refresh
30m ; retry
1w ; expiry
30m) ; minimum
IN NS localhost.
localhost A 127.0.0.1
domain.example.com CNAME myserver.local
pihole.example.com A 192.168.1.10
named.conf.local: Load the above zone. Forwarders are used when the requested (sub)domain of example.com are not found in the above file.
zone "rpz" {
type master;
file "/etc/bind/db.rpz";
forward only;
forwarders { 1.1.1.1 port 53; };
};
named.conf.options: Send the query back to pihole for further resolution. This can happen when the CNAME in the DB is to an unknown domain or a local domain known to pihole. (sub.example.com CNAME google.com or server.lan for example)
