diff --git a/service/firewall/dns.go b/service/firewall/dns.go
index 8a6e19738..9b1a55e5a 100644
--- a/service/firewall/dns.go
+++ b/service/firewall/dns.go
@@ -302,11 +302,11 @@ func UpdateIPsAndCNAMEs(q *resolver.Query, rrCache *resolver.RRCache, conn *netw
 			Expires:           rrCache.Expires,
 		}
 
-		// Resolve all CNAMEs in the correct order and add the to the record.
+		// Resolve all CNAMEs in the correct order and add the to the record - up to max 50 layers.
 		domain := q.FQDN
-		for {
+		for range 50 {
 			nextDomain, isCNAME := cnames[domain]
-			if !isCNAME {
+			if !isCNAME || nextDomain == domain {
 				break
 			}
 
diff --git a/service/nameserver/nameserver.go b/service/nameserver/nameserver.go
index c699cd993..1d346220a 100644
--- a/service/nameserver/nameserver.go
+++ b/service/nameserver/nameserver.go
@@ -224,8 +224,8 @@ func handleRequest(ctx context.Context, w dns.ResponseWriter, request *dns.Msg)
 			}
 
 			// Save the request as open, as we don't know if there will be a connection or not.
-			network.SaveOpenDNSRequest(q, rrCache, conn)
 			firewall.UpdateIPsAndCNAMEs(q, rrCache, conn)
+			network.SaveOpenDNSRequest(q, rrCache, conn)
 
 		case network.VerdictUndeterminable:
 			fallthrough