You cannot prevent someone from creating a CNAME record that points to your domain any more than you can prevent someone from telling their friends to call your telephone number.
A CNAME record is like leaving a recording on an answering machine that tells you to call a different number. For example, you call 555-1111 and the message says, "Call 555-2222." In the same way, a CNAME record for www.example.com
can point to www.yourdomain.com
. When the DNS client looks up www.example.com
and encounters the CNAME record, it restarts the DNS lookup process for www.yourdomain.com
...as if it had been trying to look up www.yourdomain.com
in the first place.
Since you don't control the domain where the CNAME record is created, and because you cannot distinguish between lookups of your domain records that originated because of CNAME records versus native lookups, you cannot prevent CNAME records from pointing to you, any more than you could prevent someone from leaving a message on their own answering machine telling callers to call your number instead.
9Why do you think anybody has a reason to do it, and why do you care? – Jan Hudec – 2019-08-25T11:30:38.237
@JanHudec: Perhaps somebody's trying to carry out a DNS rebinding attack on the OP's site, and the OP would like to prevent that. (Of course, DNS rebinding can be done without using any CNAME records anyway, so forbidding them would not be sufficient even if it was possible.)
– Ilmari Karonen – 2019-08-26T11:18:28.260You cannot prevent that technically. You might be able to sue with legal help if it infringes on your trademarks or impersonates you (however it’s internationally a hard thing to succeed). You can also inform abuse department of source provider if you suspect abuse. – eckes – 2019-08-26T14:16:32.347
@IlmariKaronen, ok, that's a valid concern—best handled by checking the
Host:
header and/or using TLS (which always checks the host name). – Jan Hudec – 2019-08-26T17:30:26.970