[Pdns-users] auth: Refuse ANY queries

Peter Thomassen peter at desec.io
Fri Oct 27 10:07:43 UTC 2023


Hi,

On our pdns auth, we'd like to not serve ANY queries, not even over TCP. Ideally, we'd like to return NOTIMPL.

In dnsdist, this is done with:

   addAction(QTypeRule(DNSQType.ANY), RCodeAction(DNSRCode.NOTIMP))

However, we've removed our dnsdist (for port 53; still in use for DoT), as we've found that there is a performance penalty when using lmdb. So, for maximum performance, we'd like to have queries served directly by pdns auth.

Is it possible to configure pdns auth to return NOTIMPL (or REFUSED) for any ANY queries?

Thanks,
Peter

* The any-to-tcp setting allows enforcing TCP, but there are scenarios where the TCP cost is not on the attacker, so it's still worth their gamble: "In attacks that are reflected via open resolvers, (...) the open resolvers are happy to fall back to TCP" (https://blog.cloudflare.com/what-happened-next-the-deprecation-of-any/)

-- 
https://desec.io/


More information about the Pdns-users mailing list