Feature request: disable-any-meta-query-type

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Feature request: disable-any-meta-query-type

Josh Sanders
Hello,

I really like PowerDNS but

I would like to have a setting disable-any-meta-query-type=yes in pdns.conf and answer
with HINFO "Any Queries are not allowed Sorry" or no answer at all.

More info: https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/

The reason for this is security: people can easily learn the entire DNS zone with one command.

An authoritative server should be allowed to refuse to answer it.

ANY queries are not widely used by any real world software.
We aware of only two programs that issue ANY queries:

Un-patched versions qmaild
Firefox version 36.0 to 36.0.1

Thanks

Josh

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Feature request: disable-any-meta-query-type

Aki Tuomi
On Fri, Dec 18, 2015 at 11:49:56AM -0600, Josh Sanders wrote:

> Hello,
>
> I really like PowerDNS but
>
> I would like to have a setting disable-any-meta-query-type=yes in pdns.conf
> and answer
> with HINFO "Any Queries are not allowed Sorry" or no answer at all.
>
> More info: https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/
>
> The reason for this is security: people can easily learn the entire DNS
> zone with one command.
>
> An authoritative server should be allowed to refuse to answer it.
>
> ANY queries are not widely used by any real world software.
> We aware of only two programs that issue ANY queries:
>
> Un-patched versions qmaild
> Firefox version 36.0 to 36.0.1
>
> Thanks
>
> Josh

Hi!

Disabling ANY queries is not sensible from point of zone security, your DNS
data is public by definition, so if your security relies on not being able
to query ANY for particular name, you should reconsider your security model.

You cannot learn the *entire* DNS zone with ANY query, unless it contains
just records for one name.

Better justification is needed for this, as RFC requires ANY to be working.

Aki

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Feature request: disable-any-meta-query-type

Aki Tuomi
On Fri, Dec 18, 2015 at 09:01:17PM +0200, Aki Tuomi wrote:

> On Fri, Dec 18, 2015 at 11:49:56AM -0600, Josh Sanders wrote:
> > Hello,
> >
> > I really like PowerDNS but
> >
> > I would like to have a setting disable-any-meta-query-type=yes in pdns.conf
> > and answer
> > with HINFO "Any Queries are not allowed Sorry" or no answer at all.
> >
> > More info: https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/
> >
> > The reason for this is security: people can easily learn the entire DNS
> > zone with one command.
> >
> > An authoritative server should be allowed to refuse to answer it.
> >
> > ANY queries are not widely used by any real world software.
> > We aware of only two programs that issue ANY queries:
> >
> > Un-patched versions qmaild
> > Firefox version 36.0 to 36.0.1
> >
> > Thanks
> >
> > Josh
>
> Hi!
>
> Disabling ANY queries is not sensible from point of zone security, your DNS
> data is public by definition, so if your security relies on not being able
> to query ANY for particular name, you should reconsider your security model.
>
> You cannot learn the *entire* DNS zone with ANY query, unless it contains
> just records for one name.
>
> Better justification is needed for this, as RFC requires ANY to be working.
>
> Aki
>

Also, you can use 'any-to-tc=yes' to prevent UDP reflection attack. You
can verify that it works with

dig any zone.com @auth +ignore

(note that +ignore is to ignore truncation, +notcp does not really do what
you'd expect).

Aki

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Feature request: disable-any-meta-query-type

Josh Sanders
In reply to this post by Josh Sanders
Aki, Thanks for your reply,

I have been working with PowerDNS for a few weeks so far.

Currently I am trying Federico Olivieri's iptables rules based on hex-stringĀ  ANY.

On the other hand ... for stopping those ones ...

zone: mydomain.com

Remote xxx.xxx.xxx.xxx wants 'domainA.com|ANY', do = 0, bufsize = 1680: packetcache MISS
Remote xxx.xxx.xxx.yyy wants 'domainB.com|ANY', do = 0, bufsize = 1680: packetcache MISS
Remote xxx.xxx.xxx.zzz wants 'domainC.com|ANY', do = 0, bufsize = 1680: packetcache MISS
Remote xxx.xxx.xxx.www wants 'domainD.com|ANY', do = 0, bufsize = 1680: packetcache MISS

As you may see, 'any-to-tcp=yes' seems to be not working so far ...



On Fri, Dec 18, 2015 at 1:01 PM, Aki Tuomi <[hidden email]> wrote:
On Fri, Dec 18, 2015 at 11:49:56AM -0600, Josh Sanders wrote:
> Hello,
>
> I really like PowerDNS but
>
> I would like to have a setting disable-any-meta-query-type=yes in pdns.conf
> and answer
> with HINFO "Any Queries are not allowed Sorry" or no answer at all.
>
> More info: https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/
>
> The reason for this is security: people can easily learn the entire DNS
> zone with one command.
>
> An authoritative server should be allowed to refuse to answer it.
>
> ANY queries are not widely used by any real world software.
> We aware of only two programs that issue ANY queries:
>
> Un-patched versions qmaild
> Firefox version 36.0 to 36.0.1
>
> Thanks
>
> Josh

Hi!

Disabling ANY queries is not sensible from point of zone security, your DNS
data is public by definition, so if your security relies on not being able
to query ANY for particular name, you should reconsider your security model.

You cannot learn the *entire* DNS zone with ANY query, unless it contains
just records for one name.

Better justification is needed for this, as RFC requires ANY to be working.

Aki


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Feature request: disable-any-meta-query-type

bert hubert-3
On Fri, Dec 18, 2015 at 02:50:22PM -0600, Josh Sanders wrote:
> Remote xxx.xxx.xxx.www wants 'domainD.com|ANY', do = 0, bufsize = 1680:
> packetcache MISS
>
> As you may see, 'any-to-tcp=yes' seems to be not working so far ...

Can you tcpdump? They could simply be sking the question, doesn't mean they
have to *respect* your TC=1 answer. Since that is all we can do, set TC=1.
It does not stop the questions!

We do provide a really small answer that way, which stops the amplification
from working.

        Bert

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users