From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [RFC PATCH] Unbound: Deny DNS queries of type ANY
Date: Mon, 27 Sep 2021 09:15:21 +0000 [thread overview]
Message-ID: <6c8515d2-d2bf-2d46-7651-66544f434dfd@ipfire.org> (raw)
In-Reply-To: <aa51a5ab-2fbf-1b3b-83b6-f265134a2712@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 1902 bytes --]
Hello Bernhard,
thanks for your reply.
Due to the extra space, Patchwork did not parse it. Therefore, I take the liberty to:
Acked-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
:-)
Thanks, and best regards,
Peter Müller
> Acked-by : Bernhard Bitsch <bbitsch(a)ipfire.org>
>
> Am 25.09.2021 um 09:53 schrieb Peter Müller:
>> While not inherently malicious, ANY queries are nowadays commonly used
>> in DNS-based DDoS attacks, since nameservers must respond with a _very_
>> large answer to a very small query.
>>
>> In 2015, Cloudflare stopped responding to them altogether (see:
>> https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/), and
>> several discussions took place in various DNS operator working groups,
>> ultimately resulting in RFC 8482 (https://datatracker.ietf.org/doc/html/rfc8482).
>>
>> Aside from - very uncommon - debugging or enumerating purposes, there is
>> little legitimate reason why a client behind IPFire needs to conduct an
>> ANY query. In fact, no up-to-date implementation of some legitimate software
>> has been observed doing so in the recent past.
>>
>> To prevent IPFire from unintentionally participating in a DDoS attack,
>> this patch changes the handling of ANY queries, forbidding them
>> altogether.
>>
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> config/unbound/unbound.conf | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
>> index 9d5e840dd..3848b0f71 100644
>> --- a/config/unbound/unbound.conf
>> +++ b/config/unbound/unbound.conf
>> @@ -40,6 +40,7 @@ server:
>> harden-large-queries: yes
>> harden-referral-path: yes
>> aggressive-nsec: yes
>> + deny-any: yes
>> # TLS
>> tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
>>
next prev parent reply other threads:[~2021-09-27 9:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-25 7:53 Peter Müller
2021-09-25 8:12 ` Bernhard Bitsch
2021-09-27 9:15 ` Peter Müller [this message]
2021-09-28 10:53 ` Michael Tremer
2021-09-28 12:17 ` Bernhard Bitsch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6c8515d2-d2bf-2d46-7651-66544f434dfd@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox