Andrew Latham

A very evil example of showing it can be done...

So you have a domain like that you want to alias to What is happening is at the root of the is an @ or base or apex record that per the RFCs must be an IP address.


$ORIGIN com.
com.                  IN  SOA (1 3H 15 1w 3h)   IN CNAME

$ORIGIN  IN  SOA (1 3H 15 1w 3h)
       IN  NS
       IN  NS
ns         IN  A
www    IN  CNAME

What we are doing

The goal here is to server and CNAME it to which is not supposed to work. What I am actually doing is creating a zone for .com and then answering with a CNAME for then reseting the $ORIGIN quickly so the zone now becomes the zone for I also show the CNAME as an example of how it is normally done and the base driver for this issue. In the browser address bar the user does not understand the difference between the two and this hack is a dangerous and silly hack to make the user happy.

Don't do this....

Only do this in a Lab or test setup to prove things out. People will not like you for doing this in the real world.

I glossed over a ton of details to keep this readable.

Please use with extreme caution and configure and secure your DNS infrastructure properly.

Andrew Latham
  1. Name servers have glue records[a] setup via the registrar
  2. Base (apex) domain (@) and www point to the same IP(s)
  3., return all the mail and name servers respectively
  4. SOA[b] email address works and is read by a human daily
  5. Name servers are on more than one subnet
  6. SOA serial is not date based
  7. Wildcard and or Generated answers for undefined PTR[c] records
  8. Registrar offers API to update glue records for mitigating DDOS[d]
  9. Documentation is easy to find
  10. Disaster recovery is tested on a schedule
b. Start of Authority
d. distributed denial-of-service attack