[Pdns-users] Feature request: disable-any-meta-query-type
Aki Tuomi
cmouse at youzen.ext.b2.fi
Fri Dec 18 19:01:17 UTC 2015
On Fri, Dec 18, 2015 at 11:49:56AM -0600, Josh Sanders wrote:
> Hello,
>
> I really like PowerDNS but
>
> I would like to have a setting disable-any-meta-query-type=yes in pdns.conf
> and answer
> with HINFO "Any Queries are not allowed Sorry" or no answer at all.
>
> More info: https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/
>
> The reason for this is security: people can easily learn the entire DNS
> zone with one command.
>
> An authoritative server should be allowed to refuse to answer it.
>
> ANY queries are not widely used by any real world software.
> We aware of only two programs that issue ANY queries:
>
> Un-patched versions qmaild
> Firefox version 36.0 to 36.0.1
>
> Thanks
>
> Josh
Hi!
Disabling ANY queries is not sensible from point of zone security, your DNS
data is public by definition, so if your security relies on not being able
to query ANY for particular name, you should reconsider your security model.
You cannot learn the *entire* DNS zone with ANY query, unless it contains
just records for one name.
Better justification is needed for this, as RFC requires ANY to be working.
Aki
More information about the Pdns-users
mailing list