While not inherently malicious, ANY queries are nowadays commonly used in DNS-based DDoS attacks, since nameservers must respond with a _very_ large answer to a very small query.
In 2015, Cloudflare stopped responding to them altogether (see: https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/), and several discussions took place in various DNS operator working groups, ultimately resulting in RFC 8482 (https://datatracker.ietf.org/doc/html/rfc8482).
Aside from - very uncommon - debugging or enumerating purposes, there is little legitimate reason why a client behind IPFire needs to conduct an ANY query. In fact, no up-to-date implementation of some legitimate software has been observed doing so in the recent past.
To prevent IPFire from unintentionally participating in a DDoS attack, this patch changes the handling of ANY queries, forbidding them altogether.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/unbound/unbound.conf | 1 + 1 file changed, 1 insertion(+)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 9d5e840dd..3848b0f71 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -40,6 +40,7 @@ server: harden-large-queries: yes harden-referral-path: yes aggressive-nsec: yes + deny-any: yes
# TLS tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt