On Fri, Dec 18, 2015 at 09:01:17PM +0200, Aki Tuomi wrote: > On Fri, Dec 18, 2015 at 11:49:56AM -0600, Josh Sanders wrote: > > Hello, > > > > I really like PowerDNS but > > > > I would like to have a setting disable-any-meta-query-type=yes in pdns.conf > > and answer > > with HINFO "Any Queries are not allowed Sorry" or no answer at all. > > > > More info: https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/ > > > > The reason for this is security: people can easily learn the entire DNS > > zone with one command. > > > > An authoritative server should be allowed to refuse to answer it. > > > > ANY queries are not widely used by any real world software. > > We aware of only two programs that issue ANY queries: > > > > Un-patched versions qmaild > > Firefox version 36.0 to 36.0.1 > > > > Thanks > > > > Josh > > Hi! > > Disabling ANY queries is not sensible from point of zone security, your DNS > data is public by definition, so if your security relies on not being able > to query ANY for particular name, you should reconsider your security model. > > You cannot learn the *entire* DNS zone with ANY query, unless it contains > just records for one name. > > Better justification is needed for this, as RFC requires ANY to be working. > > Aki >
Also, you can use 'any-to-tc=yes' to prevent UDP reflection attack. You can verify that it works with dig any zone.com @auth +ignore (note that +ignore is to ignore truncation, +notcp does not really do what you'd expect). Aki _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
