[Pdns-users] Feature request: disable-any-meta-query-type

Josh Sanders facil77 at gmail.com
Fri Dec 18 20:50:22 UTC 2015


Aki, Thanks for your reply,

I have been working with PowerDNS for a few weeks so far.

Currently I am trying Federico Olivieri's iptables rules based on
hex-string  ANY.

On the other hand ... for stopping those ones ...

zone: mydomain.com

Remote xxx.xxx.xxx.xxx wants 'domainA.com|ANY', do = 0, bufsize = 1680:
packetcache MISS
Remote xxx.xxx.xxx.yyy wants 'domainB.com|ANY', do = 0, bufsize = 1680:
packetcache MISS
Remote xxx.xxx.xxx.zzz wants 'domainC.com|ANY', do = 0, bufsize = 1680:
packetcache MISS
Remote xxx.xxx.xxx.www wants 'domainD.com|ANY', do = 0, bufsize = 1680:
packetcache MISS

As you may see, 'any-to-tcp=yes' seems to be not working so far ...



On Fri, Dec 18, 2015 at 1:01 PM, Aki Tuomi <cmouse at youzen.ext.b2.fi> wrote:

> On Fri, Dec 18, 2015 at 11:49:56AM -0600, Josh Sanders wrote:
> > Hello,
> >
> > I really like PowerDNS but
> >
> > I would like to have a setting disable-any-meta-query-type=yes in
> pdns.conf
> > and answer
> > with HINFO "Any Queries are not allowed Sorry" or no answer at all.
> >
> > More info:
> https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/
> >
> > The reason for this is security: people can easily learn the entire DNS
> > zone with one command.
> >
> > An authoritative server should be allowed to refuse to answer it.
> >
> > ANY queries are not widely used by any real world software.
> > We aware of only two programs that issue ANY queries:
> >
> > Un-patched versions qmaild
> > Firefox version 36.0 to 36.0.1
> >
> > Thanks
> >
> > Josh
>
> Hi!
>
> Disabling ANY queries is not sensible from point of zone security, your DNS
> data is public by definition, so if your security relies on not being able
> to query ANY for particular name, you should reconsider your security
> model.
>
> You cannot learn the *entire* DNS zone with ANY query, unless it contains
> just records for one name.
>
> Better justification is needed for this, as RFC requires ANY to be working.
>
> Aki
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20151218/75b0c99b/attachment-0001.html>


More information about the Pdns-users mailing list