Bug 4190 - Please create a "ANY" deny option
Please create a "ANY" deny option
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
1.7.3
Other All
: P5 enhancement
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-04 09:40 CEST by j.vogt
Modified: 2018-12-04 11:58 CET (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description j.vogt 2018-10-04 09:40:34 CEST
Hello

Please provide an option to return nothing when "ANY" queries are made. 

Some dns provider do not reply anything to "ANY" queries; see for example here: 
https://blog.cloudflare.com/deprecating-dns-any-meta-query-type

It would be great to have such an option in unbound.
I used a python script but then realised that the performance with resperf drops to less than 50% when using the python script.
With pyhton enabled: 7000 qps
Without the python script: ~15000 qps
Comment 1 Wouter Wijngaards 2018-10-04 10:12:59 CEST
Hi,

Unbound already implements another of the RFC recommended options for denying query type ANY, which is where it responds with a small amount of items from the cache.  This is protocol conformant, and gives a small response.

Best regards, Wouter
Comment 2 j.vogt 2018-10-04 11:38:51 CEST
Hi Wouter

Thanks for your answer. I know that unbound already supports RFC conformant small ANY responses.
In my opinion, this can lead to a bit strange results, because when you do for example: 

dig A test.com

and then 
dig ANY test.com 

you get:
;; ANSWER SECTION:
test.com.		3571	IN	A	69.172.200.235
test.com.		7171	IN	NS	ns65.worldnic.com.
test.com.		7171	IN	NS	ns66.worldnic.com.

However, if you do first
dig ANY test.com

you get
;; ANSWER SECTION:
test.com.		3600	IN	A	69.172.200.235
test.com.		7200	IN	TXT	"google-site-verification=kW9t2V_S7WjOX57zq0tP8Ae_WJhRwUcZoqpdEkvuXJk"
test.com.		7200	IN	NS	ns66.worldnic.com.
test.com.		7200	IN	NS	ns65.worldnic.com.
test.com.		7200	IN	SOA	ns65.worldnic.com. namehost.worldnic.com. 118062110 10800 3600 604800 3600
test.com.		7200	IN	MX	30 lastmx.spamexperts.net.
test.com.		7200	IN	MX	20 fallbackmx.spamexperts.eu.
test.com.		7200	IN	MX	10 mx.spamexperts.com.

So I think an option to just deny ANY queries would make more sense.
Comment 3 Wouter Wijngaards 2018-10-25 10:09:13 CEST
Hi,

The option deny-any: yes is added to unbound.conf, and it responds with an empty message to type ANY queries.  The default is no, and the old behaviour is what happens when the option is disabled.  Thanks for the report, I hope it makes the handling of annoyance traffic easier.

Best regards, Wouter
Comment 4 publicarray 2018-12-04 11:53:36 CET
Thanks Wouter for adding this option. To improve this further I think a small INFO response is better than a completely (valid) empty response. Having a small INFO response informs users why the response is empty. See https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any
Comment 5 publicarray 2018-12-04 11:58:05 CET
(In reply to publicarray from comment #4)
> Thanks Wouter for adding this option. To improve this further I think a
> small INFO response is better than a completely (valid) empty response.
> Having a small INFO response informs users why the response is empty. See
> https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any

Or how about set the send the Rcode to 4 (NOTIMP) ?