Aki, Thanks for your reply, I have been working with PowerDNS for a few weeks so far.
Currently I am trying Federico Olivieri's iptables rules based on hex-string ANY. On the other hand ... for stopping those ones ... zone: mydomain.com Remote xxx.xxx.xxx.xxx wants 'domainA.com|ANY', do = 0, bufsize = 1680: packetcache MISS Remote xxx.xxx.xxx.yyy wants 'domainB.com|ANY', do = 0, bufsize = 1680: packetcache MISS Remote xxx.xxx.xxx.zzz wants 'domainC.com|ANY', do = 0, bufsize = 1680: packetcache MISS Remote xxx.xxx.xxx.www wants 'domainD.com|ANY', do = 0, bufsize = 1680: packetcache MISS As you may see, 'any-to-tcp=yes' seems to be not working so far ... On Fri, Dec 18, 2015 at 1:01 PM, Aki Tuomi <[email protected]> wrote: > On Fri, Dec 18, 2015 at 11:49:56AM -0600, Josh Sanders wrote: > > Hello, > > > > I really like PowerDNS but > > > > I would like to have a setting disable-any-meta-query-type=yes in > pdns.conf > > and answer > > with HINFO "Any Queries are not allowed Sorry" or no answer at all. > > > > More info: > https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/ > > > > The reason for this is security: people can easily learn the entire DNS > > zone with one command. > > > > An authoritative server should be allowed to refuse to answer it. > > > > ANY queries are not widely used by any real world software. > > We aware of only two programs that issue ANY queries: > > > > Un-patched versions qmaild > > Firefox version 36.0 to 36.0.1 > > > > Thanks > > > > Josh > > Hi! > > Disabling ANY queries is not sensible from point of zone security, your DNS > data is public by definition, so if your security relies on not being able > to query ANY for particular name, you should reconsider your security > model. > > You cannot learn the *entire* DNS zone with ANY query, unless it contains > just records for one name. > > Better justification is needed for this, as RFC requires ANY to be working. > > Aki >
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
