Acked-by : Bernhard Bitsch <bbitsch(a)ipfire.org>

Am 25.09.2021 um 09:53 schrieb Peter Müller:
> While not inherently malicious, ANY queries are nowadays commonly used
> in DNS-based DDoS attacks, since nameservers must respond with a _very_
> large answer to a very small query.
> 
> In 2015, Cloudflare stopped responding to them altogether (see:
> https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/), and
> several discussions took place in various DNS operator working groups,
> ultimately resulting in RFC 8482 (https://datatracker.ietf.org/doc/html/rfc8482).
> 
> Aside from - very uncommon - debugging or enumerating purposes, there is
> little legitimate reason why a client behind IPFire needs to conduct an
> ANY query. In fact, no up-to-date implementation of some legitimate software
> has been observed doing so in the recent past.
> 
> To prevent IPFire from unintentionally participating in a DDoS attack,
> this patch changes the handling of ANY queries, forbidding them
> altogether.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
>   config/unbound/unbound.conf | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> index 9d5e840dd..3848b0f71 100644
> --- a/config/unbound/unbound.conf
> +++ b/config/unbound/unbound.conf
> @@ -40,6 +40,7 @@ server:
>   	harden-large-queries: yes
>   	harden-referral-path: yes
>   	aggressive-nsec: yes
> +	deny-any: yes
>   
>   	# TLS
>   	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
>