Re: [RFC PATCH] Unbound: Deny DNS queries of type ANY

[Bernhard Bitsch <bbitsch@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3681 bytes --]

Hello,

after reading Michael's annotations, I must agree to his arguments.
So I reject my ACK.

Regards,
Bernhard

Am 28.09.2021 um 12:53 schrieb Michael Tremer:
> Hello,
> 
> I would like to NACK this change.
> 
>> On 25 Sep 2021, at 08:53, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> While not inherently malicious, ANY queries are nowadays commonly used
>> in DNS-based DDoS attacks, since nameservers must respond with a _very_
>> large answer to a very small query.
> 
> ANY requests are definitely very common, but they are not the only record type being used for this.
> 
>> In 2015, Cloudflare stopped responding to them altogether (see:
>> https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/), and
>> several discussions took place in various DNS operator working groups,
>> ultimately resulting in RFC 8482 (https://datatracker.ietf.org/doc/html/rfc8482).
> 
> Yes sure. Why would Cloudflare try to fix things when there is a much cheaper alternative? Just turning everything off.
> 
>> Aside from - very uncommon - debugging or enumerating purposes, there is
>> little legitimate reason why a client behind IPFire needs to conduct an
>> ANY query. In fact, no up-to-date implementation of some legitimate software
>> has been observed doing so in the recent past.
> 
> Indeed clients (if every) send an ANY query. However, debugging DNS is a common operation and sending an ANY query helps to figure out any problems very quickly.
> 
> I would therefore like to NACK this proposal because we are basically destroying DNS here. We are making it harder for users to use and debug their DNS system. I am personally affected by this change.
> 
> I also do not see any benefit here. IPFire’s DNS system isn’t designed to be publicly accessible on the internet. If people decide to do so, then it requires more configuration and they are welcome to add this configuration line to filter ANY requests, too - do they wish so.
> 
>> To prevent IPFire from unintentionally participating in a DDoS attack,
>> this patch changes the handling of ANY queries, forbidding them
>> altogether.
> 
> This change isn’t helping anyone. Maybe Cloudflare wants to look like the “good guy”, but filtering ANY requests doesn’t change anything. What about DNSSEC-signed responses? They would be larger and make an amplification attack possible. What about TXT records? Are we going to filter them next if they are longer than the query packet? That probably would destroy DMARC, DKIM, SPF, IPSECKEY, SSHFP and many many other applications.
> 
> It is a common thing on the internet to send a small query and receive a bigger response. It is part of its nature. However blocking that is only destroying our protocols which become limited in their application.
> 
> I could live with a rate-limiting which is what the Lightning Wire Labs DNS service is applying. That way, debugging is still possible, and abusing the service isn’t. There is also rate-limiting on all other record types, just not as strict as on ANY queries.
> 
> -Michael
> 
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> config/unbound/unbound.conf | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
>> index 9d5e840dd..3848b0f71 100644
>> --- a/config/unbound/unbound.conf
>> +++ b/config/unbound/unbound.conf
>> @@ -40,6 +40,7 @@ server:
>> 	harden-large-queries: yes
>> 	harden-referral-path: yes
>> 	aggressive-nsec: yes
>> +	deny-any: yes
>>
>> 	# TLS
>> 	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
>> -- 
>> 2.26.2
>