Hello Bernhard, thanks for your reply. Due to the extra space, Patchwork did not parse it. Therefore, I take the liberty to: Acked-by: Bernhard Bitsch :-) Thanks, and best regards, Peter Müller > Acked-by : Bernhard Bitsch > > Am 25.09.2021 um 09:53 schrieb Peter Müller: >> While not inherently malicious, ANY queries are nowadays commonly used >> in DNS-based DDoS attacks, since nameservers must respond with a _very_ >> large answer to a very small query. >> >> In 2015, Cloudflare stopped responding to them altogether (see: >> https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/), and >> several discussions took place in various DNS operator working groups, >> ultimately resulting in RFC 8482 (https://datatracker.ietf.org/doc/html/rfc8482). >> >> Aside from - very uncommon - debugging or enumerating purposes, there is >> little legitimate reason why a client behind IPFire needs to conduct an >> ANY query. In fact, no up-to-date implementation of some legitimate software >> has been observed doing so in the recent past. >> >> To prevent IPFire from unintentionally participating in a DDoS attack, >> this patch changes the handling of ANY queries, forbidding them >> altogether. >> >> Signed-off-by: Peter Müller >> --- >>   config/unbound/unbound.conf | 1 + >>   1 file changed, 1 insertion(+) >> >> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf >> index 9d5e840dd..3848b0f71 100644 >> --- a/config/unbound/unbound.conf >> +++ b/config/unbound/unbound.conf >> @@ -40,6 +40,7 @@ server: >>       harden-large-queries: yes >>       harden-referral-path: yes >>       aggressive-nsec: yes >> +    deny-any: yes >>       # TLS >>       tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt >>