[Pdns-users] Feature request: disable-any-meta-query-type
Aki Tuomi
cmouse at youzen.ext.b2.fi
Fri Dec 18 19:06:20 UTC 2015
On Fri, Dec 18, 2015 at 09:01:17PM +0200, Aki Tuomi wrote:
> On Fri, Dec 18, 2015 at 11:49:56AM -0600, Josh Sanders wrote:
> > Hello,
> >
> > I really like PowerDNS but
> >
> > I would like to have a setting disable-any-meta-query-type=yes in pdns.conf
> > and answer
> > with HINFO "Any Queries are not allowed Sorry" or no answer at all.
> >
> > More info: https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/
> >
> > The reason for this is security: people can easily learn the entire DNS
> > zone with one command.
> >
> > An authoritative server should be allowed to refuse to answer it.
> >
> > ANY queries are not widely used by any real world software.
> > We aware of only two programs that issue ANY queries:
> >
> > Un-patched versions qmaild
> > Firefox version 36.0 to 36.0.1
> >
> > Thanks
> >
> > Josh
>
> Hi!
>
> Disabling ANY queries is not sensible from point of zone security, your DNS
> data is public by definition, so if your security relies on not being able
> to query ANY for particular name, you should reconsider your security model.
>
> You cannot learn the *entire* DNS zone with ANY query, unless it contains
> just records for one name.
>
> Better justification is needed for this, as RFC requires ANY to be working.
>
> Aki
>
Also, you can use 'any-to-tc=yes' to prevent UDP reflection attack. You
can verify that it works with
dig any zone.com @auth +ignore
(note that +ignore is to ignore truncation, +notcp does not really do what
you'd expect).
Aki
More information about the Pdns-users
mailing list