From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [RFC PATCH] Unbound: Deny DNS queries of type ANY Date: Sat, 25 Sep 2021 09:53:13 +0200 Message-ID: <2ed9b3f6-28eb-3922-5501-f431df64e5ba@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1166312891642491720==" List-Id: --===============1166312891642491720== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable While not inherently malicious, ANY queries are nowadays commonly used in DNS-based DDoS attacks, since nameservers must respond with a _very_ large answer to a very small query. In 2015, Cloudflare stopped responding to them altogether (see: https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/), and several discussions took place in various DNS operator working groups, ultimately resulting in RFC 8482 (https://datatracker.ietf.org/doc/html/rfc84= 82). Aside from - very uncommon - debugging or enumerating purposes, there is little legitimate reason why a client behind IPFire needs to conduct an ANY query. In fact, no up-to-date implementation of some legitimate software has been observed doing so in the recent past. To prevent IPFire from unintentionally participating in a DDoS attack, this patch changes the handling of ANY queries, forbidding them altogether. Signed-off-by: Peter M=C3=BCller --- config/unbound/unbound.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 9d5e840dd..3848b0f71 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -40,6 +40,7 @@ server: harden-large-queries: yes harden-referral-path: yes aggressive-nsec: yes + deny-any: yes =20 # TLS tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt --=20 2.26.2 --===============1166312891642491720==--