Bugzilla – Full Text Bug Listing
|Summary:||Please create a "ANY" deny option|
|Component:||server||Assignee:||unbound team <unbound-team>|
|Severity:||enhancement||CC:||cathya, nlnetlabs-bugzilla, wouter|
Description j.vogt 2018-10-04 09:40:34 CEST
Hello Please provide an option to return nothing when "ANY" queries are made. Some dns provider do not reply anything to "ANY" queries; see for example here: https://blog.cloudflare.com/deprecating-dns-any-meta-query-type It would be great to have such an option in unbound. I used a python script but then realised that the performance with resperf drops to less than 50% when using the python script. With pyhton enabled: 7000 qps Without the python script: ~15000 qps
Comment 1 Wouter Wijngaards 2018-10-04 10:12:59 CEST
Hi, Unbound already implements another of the RFC recommended options for denying query type ANY, which is where it responds with a small amount of items from the cache. This is protocol conformant, and gives a small response. Best regards, Wouter
Comment 2 j.vogt 2018-10-04 11:38:51 CEST
Hi Wouter Thanks for your answer. I know that unbound already supports RFC conformant small ANY responses. In my opinion, this can lead to a bit strange results, because when you do for example: dig A test.com and then dig ANY test.com you get: ;; ANSWER SECTION: test.com. 3571 IN A 184.108.40.206 test.com. 7171 IN NS ns65.worldnic.com. test.com. 7171 IN NS ns66.worldnic.com. However, if you do first dig ANY test.com you get ;; ANSWER SECTION: test.com. 3600 IN A 220.127.116.11 test.com. 7200 IN TXT "google-site-verification=kW9t2V_S7WjOX57zq0tP8Ae_WJhRwUcZoqpdEkvuXJk" test.com. 7200 IN NS ns66.worldnic.com. test.com. 7200 IN NS ns65.worldnic.com. test.com. 7200 IN SOA ns65.worldnic.com. namehost.worldnic.com. 118062110 10800 3600 604800 3600 test.com. 7200 IN MX 30 lastmx.spamexperts.net. test.com. 7200 IN MX 20 fallbackmx.spamexperts.eu. test.com. 7200 IN MX 10 mx.spamexperts.com. So I think an option to just deny ANY queries would make more sense.
Comment 3 Wouter Wijngaards 2018-10-25 10:09:13 CEST
Hi, The option deny-any: yes is added to unbound.conf, and it responds with an empty message to type ANY queries. The default is no, and the old behaviour is what happens when the option is disabled. Thanks for the report, I hope it makes the handling of annoyance traffic easier. Best regards, Wouter
Comment 4 publicarray 2018-12-04 11:53:36 CET
Thanks Wouter for adding this option. To improve this further I think a small INFO response is better than a completely (valid) empty response. Having a small INFO response informs users why the response is empty. See https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any
Comment 5 publicarray 2018-12-04 11:58:05 CET
(In reply to publicarray from comment #4) > Thanks Wouter for adding this option. To improve this further I think a > small INFO response is better than a completely (valid) empty response. > Having a small INFO response informs users why the response is empty. See > https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any Or how about set the send the Rcode to 4 (NOTIMP) ?