From mboxrd@z Thu Jan  1 00:00:00 1970
From: Bernhard Bitsch <bbitsch@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [RFC PATCH] Unbound: Deny DNS queries of type ANY
Date: Sat, 25 Sep 2021 10:12:55 +0200
Message-ID: <aa51a5ab-2fbf-1b3b-83b6-f265134a2712@ipfire.org>
In-Reply-To: <2ed9b3f6-28eb-3922-5501-f431df64e5ba@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7448942133866361050=="
List-Id: <development.lists.ipfire.org>

--===============7448942133866361050==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Acked-by : Bernhard Bitsch <bbitsch(a)ipfire.org>

Am 25.09.2021 um 09:53 schrieb Peter M=C3=BCller:
> While not inherently malicious, ANY queries are nowadays commonly used
> in DNS-based DDoS attacks, since nameservers must respond with a _very_
> large answer to a very small query.
>=20
> In 2015, Cloudflare stopped responding to them altogether (see:
> https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/), and
> several discussions took place in various DNS operator working groups,
> ultimately resulting in RFC 8482 (https://datatracker.ietf.org/doc/html/rfc=
8482).
>=20
> Aside from - very uncommon - debugging or enumerating purposes, there is
> little legitimate reason why a client behind IPFire needs to conduct an
> ANY query. In fact, no up-to-date implementation of some legitimate software
> has been observed doing so in the recent past.
>=20
> To prevent IPFire from unintentionally participating in a DDoS attack,
> this patch changes the handling of ANY queries, forbidding them
> altogether.
>=20
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
>   config/unbound/unbound.conf | 1 +
>   1 file changed, 1 insertion(+)
>=20
> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> index 9d5e840dd..3848b0f71 100644
> --- a/config/unbound/unbound.conf
> +++ b/config/unbound/unbound.conf
> @@ -40,6 +40,7 @@ server:
>   	harden-large-queries: yes
>   	harden-referral-path: yes
>   	aggressive-nsec: yes
> +	deny-any: yes
>  =20
>   	# TLS
>   	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
>=20

--===============7448942133866361050==--