diff --git a/doc/Changelog b/doc/Changelog
index 184300fbb..54ac22d34 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -3,6 +3,7 @@
 	- Add trustanchor.unbound CH TXT that gets a response with a number
 	  of TXT RRs with a string like "example.com. 2345 1234" with
 	  the trust anchors and their keytags.
+	- Fix that looped DNAMEs do not cause unbound to spend effort.
 
 13 March 2017: Wouter
 	- testbound understands Deckard MATCH rcode question answer commands.
diff --git a/iterator/iterator.c b/iterator/iterator.c
index ce03fbd54..a8447775a 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -2263,6 +2263,17 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		/* YXDOMAIN is a permanent error, no need to retry */
 		type = RESPONSE_TYPE_ANSWER;
 	}
+	if(type == RESPONSE_TYPE_CNAME && iq->response->rep->an_numrrsets >= 1
+		&& ntohs(iq->response->rep->rrsets[0]->rk.type) == LDNS_RR_TYPE_DNAME) {
+		uint8_t* sname = NULL;
+		size_t snamelen = 0;
+		get_cname_target(iq->response->rep->rrsets[0], &sname,
+			&snamelen);
+		if(snamelen && dname_subdomain_c(sname, iq->response->rep->rrsets[0]->rk.dname)) {
+			/* DNAME to a subdomain loop; do not recurse */
+			type = RESPONSE_TYPE_ANSWER;
+		}
+	}
 
 	/* handle each of the type cases */
 	if(type == RESPONSE_TYPE_ANSWER) {
diff --git a/testdata/iter_dname_insec.rpl b/testdata/iter_dname_insec.rpl
index ba2d18dd5..8f4a29c79 100644
--- a/testdata/iter_dname_insec.rpl
+++ b/testdata/iter_dname_insec.rpl
@@ -691,9 +691,12 @@ STEP 220902 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA DO
-REPLY SERVFAIL
+REPLY NOERROR
 SECTION QUESTION
 cyc.example.com. IN A
+SECTION ANSWER
+example.com.	0	IN	DNAME	example.com.
+cyc.example.com.	0	IN	CNAME	cyc.example.com.
 ENTRY_END
 
 ; ns1.example.com.