Is it possible to block all ANY queries?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Is it possible to block all ANY queries?

Josh Sanders
Hello,

I just set up PowerDNS and it works faultlessly: pdns-static_3.4.7-1_amd64.deb

But It keeps receiving  100s of ANY queries.

PowerDNS/Bind Backend has zone: mydomain.com but It keeps receiving  ANY queries like those:

Remote xxx.xxx.xxx.xxx wants 'domainA.com|ANY', do = 0, bufsize = 1680: packetcache MISS
Remote xxx.xxx.xxx.yyy wants 'domainB.com|ANY', do = 0, bufsize = 1680: packetcache MISS
Remote xxx.xxx.xxx.zzz wants 'domainC.com|ANY', do = 0, bufsize = 1680: packetcache MISS
Remote xxx.xxx.xxx.www wants 'domainD.com|ANY', do = 0, bufsize = 1680: packetcache MISS

I know how to block those ips with fail2ban but I would not like to have 100s of iptables rules.

Is there a way to block ANY queries?

I mean like CloudFlare does: Please stop asking for ANY / See draft-jabley-dnsop-refuse-any

Also, I tried any-to-tcp=yes but it seems not working.

Thanks

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Is it possible to block all ANY queries?

Federico87

Hi, have you tried with iptables? You can  set the max ANY quries for IP and track the IP that ask for the ANY query

On 16 Dec 2015 22:05, "Josh Sanders" <[hidden email]> wrote:
Hello,

I just set up PowerDNS and it works faultlessly: pdns-static_3.4.7-1_amd64.deb

But It keeps receiving  100s of ANY queries.

PowerDNS/Bind Backend has zone: mydomain.com but It keeps receiving  ANY queries like those:

Remote xxx.xxx.xxx.xxx wants 'domainA.com|ANY', do = 0, bufsize = 1680: packetcache MISS
Remote xxx.xxx.xxx.yyy wants 'domainB.com|ANY', do = 0, bufsize = 1680: packetcache MISS
Remote xxx.xxx.xxx.zzz wants 'domainC.com|ANY', do = 0, bufsize = 1680: packetcache MISS
Remote xxx.xxx.xxx.www wants 'domainD.com|ANY', do = 0, bufsize = 1680: packetcache MISS

I know how to block those ips with fail2ban but I would not like to have 100s of iptables rules.

Is there a way to block ANY queries?

I mean like CloudFlare does: Please stop asking for ANY / See draft-jabley-dnsop-refuse-any

Also, I tried any-to-tcp=yes but it seems not working.

Thanks

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users