diff --git a/service/compat/callbacks.go b/service/compat/callbacks.go
index 2abfa858..71fd8b69 100644
--- a/service/compat/callbacks.go
+++ b/service/compat/callbacks.go
@@ -3,6 +3,7 @@ package compat
 import (
 	"net"
 
+	"github.com/safing/portmaster/service/mgr"
 	"github.com/safing/portmaster/service/network/packet"
 	"github.com/safing/portmaster/service/process"
 )
@@ -31,10 +32,16 @@ func SubmitDNSCheckDomain(subdomain string) (respondWith net.IP) {
 
 // ReportSecureDNSBypassIssue reports a DNS bypassing issue for the given process.
 func ReportSecureDNSBypassIssue(p *process.Process) {
-	secureDNSBypassIssue.notify(p)
+	module.mgr.Go("report secure dns bypass issue", func(w *mgr.WorkerCtx) error {
+		secureDNSBypassIssue.notify(p)
+		return nil
+	})
 }
 
 // ReportMultiPeerUDPTunnelIssue reports a multi-peer UDP tunnel for the given process.
 func ReportMultiPeerUDPTunnelIssue(p *process.Process) {
-	multiPeerUDPTunnelIssue.notify(p)
+	module.mgr.Go("report multi-peer udp tunnel issue", func(w *mgr.WorkerCtx) error {
+		multiPeerUDPTunnelIssue.notify(p)
+		return nil
+	})
 }
diff --git a/service/firewall/dns.go b/service/firewall/dns.go
index 8a6e1973..9b1a55e5 100644
--- a/service/firewall/dns.go
+++ b/service/firewall/dns.go
@@ -302,11 +302,11 @@ func UpdateIPsAndCNAMEs(q *resolver.Query, rrCache *resolver.RRCache, conn *netw
 			Expires:           rrCache.Expires,
 		}
 
-		// Resolve all CNAMEs in the correct order and add the to the record.
+		// Resolve all CNAMEs in the correct order and add the to the record - up to max 50 layers.
 		domain := q.FQDN
-		for {
+		for range 50 {
 			nextDomain, isCNAME := cnames[domain]
-			if !isCNAME {
+			if !isCNAME || nextDomain == domain {
 				break
 			}
 
diff --git a/service/nameserver/nameserver.go b/service/nameserver/nameserver.go
index c699cd99..1d346220 100644
--- a/service/nameserver/nameserver.go
+++ b/service/nameserver/nameserver.go
@@ -224,8 +224,8 @@ func handleRequest(ctx context.Context, w dns.ResponseWriter, request *dns.Msg)
 			}
 
 			// Save the request as open, as we don't know if there will be a connection or not.
-			network.SaveOpenDNSRequest(q, rrCache, conn)
 			firewall.UpdateIPsAndCNAMEs(q, rrCache, conn)
+			network.SaveOpenDNSRequest(q, rrCache, conn)
 
 		case network.VerdictUndeterminable:
 			fallthrough
diff --git a/service/process/process.go b/service/process/process.go
index 60dac7eb..4e0eeeae 100644
--- a/service/process/process.go
+++ b/service/process/process.go
@@ -256,7 +256,7 @@ func loadProcess(ctx context.Context, key string, pInfo *processInfo.Process) (*
 	// Username
 	process.UserName, err = pInfo.UsernameWithContext(ctx)
 	if err != nil {
-		return nil, fmt.Errorf("process: failed to get Username for p%d: %w", pInfo.Pid, err)
+		log.Tracer(ctx).Warningf("process: failed to get username (PID %d): %s", pInfo.Pid, err)
 	}
 
 	// TODO: User Home