Prevent use of CNAME record for untrusted domain

Solution 1:

DNS does not support this. It doesn't matter what DNS provider you use, because creating a CNAME record is done entirely at the 'source' domain and does not contact the 'target' at all. So a domain can publish any DNS records with any data.

The only thing you can do – when dealing with HTTP(S), TLS-SNI, and other protocols which support virtual hosts – is to make sure your server rejects all requests for unknown vhosts.

Solution 2:

You cannot prevent someone from creating a CNAME record that points to your domain any more than you can prevent someone from telling their friends to call your telephone number.

A CNAME record is like leaving a recording on an answering machine that tells you to call a different number. For example, you call 555-1111 and the message says, "Call 555-2222." In the same way, a CNAME record for www.example.com can point to www.yourdomain.com. When the DNS client looks up www.example.com and encounters the CNAME record, it restarts the DNS lookup process for www.yourdomain.com...as if it had been trying to look up www.yourdomain.com in the first place.

Since you don't control the domain where the CNAME record is created, and because you cannot distinguish between lookups of your domain records that originated because of CNAME records versus native lookups, you cannot prevent CNAME records from pointing to you, any more than you could prevent someone from leaving a message on their own answering machine telling callers to call your number instead.