diff --git a/configure.ac b/configure.ac
index daf8d539..a4713279 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1026,6 +1026,8 @@ FreeBSD)
 esac
 AC_SUBST(C99COMPATFLAGS)
 
+AC_DEFINE_UNQUOTED([MAX_CNAME_REFERRALS], [100], [The maximum number of cname referrals.])
+
 AH_BOTTOM([
 
 #ifdef GETDNS_ON_WINDOWS
diff --git a/src/dnssec.c b/src/dnssec.c
index 7c851aba..e3a8a65d 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -210,9 +210,6 @@
 #include "list.h"
 #include "util/val_secalgo.h"
 
- /* Maximum number of canonical name redirections for one name */
-#define MAX_CNAMES 100
-
 #define SIGNATURE_VERIFIED         0x10000
 #define NSEC3_ITERATION_COUNT_HIGH 0x20000
 #define NO_SUPPORTED_ALGORITHMS    0x40000
@@ -1069,7 +1066,7 @@ static void add_question2val_chain(struct mem_funcs *mf,
 	q_rrset.pkt      = pkt;
 	q_rrset.pkt_len  = pkt_len;
 
-	for (anti_loop = MAX_CNAMES; anti_loop; anti_loop--) {
+	for (anti_loop = MAX_CNAME_REFERRALS; anti_loop; anti_loop--) {
 		if (!(rr = rrtype_iter_init(&rr_spc, &q_rrset)))
 			break;
 		if (!(rdf = _getdns_rdf_iter_init(&rdf_spc, &rr->rr_i)))
diff --git a/src/general.c b/src/general.c
index 1119106d..8e29fb58 100644
--- a/src/general.c
+++ b/src/general.c
@@ -84,7 +84,7 @@ static int
 no_answer(getdns_dns_req *dns_req)
 {
 	getdns_network_req **netreq_p, *netreq;
-	int new_canonical = 0;
+	int new_canonical = 0, cnames_followed;
 	uint8_t canon_spc[256];
 	const uint8_t *canon;
 	size_t canon_len;
@@ -103,7 +103,7 @@ no_answer(getdns_dns_req *dns_req)
 		canon_len = netreq->owner->name_len;
 		if (netreq->request_type != GETDNS_RRTYPE_CNAME
 		    && GLDNS_ANCOUNT(netreq->response) > 1) do {
-			new_canonical = 0;
+			new_canonical = 0, cnames_followed = 0;
 			for ( rr = _getdns_rr_iter_init(&rr_spc
 			                               , netreq->response
 			                               , netreq->response_len)
@@ -131,8 +131,9 @@ no_answer(getdns_dns_req *dns_req)
 				canon = _getdns_rdf_if_or_as_decompressed(
 				    rdf, canon_spc, &canon_len);
 				new_canonical = 1;
+				cnames_followed++;
 			}
-		} while (new_canonical);
+		} while (new_canonical && cnames_followed<MAX_CNAME_REFERRALS);
 		for ( rr = _getdns_rr_iter_init(&rr_spc
 					       , netreq->response
 					       , netreq->response_len)
diff --git a/src/util-internal.c b/src/util-internal.c
index 5731fea9..4e71dc75 100644
--- a/src/util-internal.c
+++ b/src/util-internal.c
@@ -707,7 +707,7 @@ _getdns_create_reply_dict(getdns_context *context, getdns_network_req *req,
 		goto error;
 	
 	cnames_followed = new_canonical;
-	while (new_canonical) {
+	while (cnames_followed < MAX_CNAME_REFERRALS && new_canonical) {
 		new_canonical = 0;
 
 		for ( rr_iter = _getdns_rr_iter_init(&rr_iter_storage
@@ -737,6 +737,7 @@ _getdns_create_reply_dict(getdns_context *context, getdns_network_req *req,
 			canonical_name = _getdns_rdf_if_or_as_decompressed(
 			    rdf_iter,canonical_name_space,&canonical_name_len);
 			new_canonical = 1;
+			cnames_followed++;
 		}
 	}
 	if (_getdns_dict_set_const_bindata(