from cinap:

only use cname answer when returned.  some dns servers attach span
addresses.  these can poison the cache.

Reference: /n/atom/patch/applied2013/cnamespam
Date: Mon Aug  5 23:18:09 CES 2013
Signed-off-by: quanstro@quanstro.net

--- /sys/src/cmd/ndb/dnresolve.c	Mon Aug  5 23:17:38 2013
+++ /sys/src/cmd/ndb/dnresolve.c	Mon Aug  5 23:17:39 2013
@@ -1378,8 +1378,20 @@
 	unique(mp->ar);
 	unlock(&dnlock);
 
-	if(mp->an)
+	if(mp->an){
+		/*
+		 * only use cname answer when returned. some dns servers
+		 * attach spam address records which poisons the cache.
+		 */
+		if((tp = rrremtype(&mp->an, Tcname)) != 0){
+			if(mp->an){
+				dnslog("removing spam %Q for %Q from %I", mp->an, tp, srcip);
+				rrfreelist(mp->an);
+			}
+			mp->an = tp;
+		}
 		rrattach(mp->an, (mp->flags & Fauth) != 0);
+	}
 	if(mp->ar)
 		rrattach(mp->ar, Notauthoritative);
 	if(mp->ns && !cfg.justforw){