From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [RFC PATCH] Unbound: Deny DNS queries of type ANY
Date: Mon, 27 Sep 2021 09:15:21 +0000
Message-ID: <6c8515d2-d2bf-2d46-7651-66544f434dfd@ipfire.org>
In-Reply-To: <aa51a5ab-2fbf-1b3b-83b6-f265134a2712@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1064181066810747665=="
List-Id: <development.lists.ipfire.org>

--===============1064181066810747665==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Bernhard,

thanks for your reply.

Due to the extra space, Patchwork did not parse it. Therefore, I take the lib=
erty to:

Acked-by: Bernhard Bitsch <bbitsch(a)ipfire.org>

:-)

Thanks, and best regards,
Peter M=C3=BCller


> Acked-by : Bernhard Bitsch <bbitsch(a)ipfire.org>
>=20
> Am 25.09.2021 um 09:53 schrieb Peter M=C3=BCller:
>> While not inherently malicious, ANY queries are nowadays commonly used
>> in DNS-based DDoS attacks, since nameservers must respond with a _very_
>> large answer to a very small query.
>>
>> In 2015, Cloudflare stopped responding to them altogether (see:
>> https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/), and
>> several discussions took place in various DNS operator working groups,
>> ultimately resulting in RFC 8482 (https://datatracker.ietf.org/doc/html/rf=
c8482).
>>
>> Aside from - very uncommon - debugging or enumerating purposes, there is
>> little legitimate reason why a client behind IPFire needs to conduct an
>> ANY query. In fact, no up-to-date implementation of some legitimate softwa=
re
>> has been observed doing so in the recent past.
>>
>> To prevent IPFire from unintentionally participating in a DDoS attack,
>> this patch changes the handling of ANY queries, forbidding them
>> altogether.
>>
>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>> ---
>> =C2=A0 config/unbound/unbound.conf | 1 +
>> =C2=A0 1 file changed, 1 insertion(+)
>>
>> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
>> index 9d5e840dd..3848b0f71 100644
>> --- a/config/unbound/unbound.conf
>> +++ b/config/unbound/unbound.conf
>> @@ -40,6 +40,7 @@ server:
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 harden-large-queries: yes
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 harden-referral-path: yes
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 aggressive-nsec: yes
>> +=C2=A0=C2=A0=C2=A0 deny-any: yes
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # TLS
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 tls-cert-bundle: /etc/ssl/certs/ca-bundle.c=
rt
>>

--===============1064181066810747665==--