disabling "Any" requests

Chuck Swiger cswiger at mac.com
Thu Jul 12 16:15:59 UTC 2012


On Jul 12, 2012, at 7:16 AM, Lightner, Jeff wrote:
> Your answer was clearly meant to be tongue in cheek but I'm not sure you understood.

Please allow me to reassure you that I understood the intent of the question.  :-)

The point was that if one isn't clear about what one should allow and what one should forbid, spending lots of money on a fancy firewall box, or complicated rules creating restrictions for certain DNS query types is silly-- a pair of wirecutters provides better security for your money:

  http://www.ranum.com/security/computer_security/papers/a1-firewall/
  http://www.google.com/search?q=firewall+wizards+wirecutters

> The OP wasn't asking how to stop all (any) lookups - it was how to stop "dig -t any" which isn't the same thing at all.  Presumably they still want to allow dig -t mx, dig www... etc...
> 
> Personally I don't know why "dig -t any" would be a problem.   It's not exactly the same as doing an axfr transfer of the zone - it still only gets limited information.

That's an extremely good question to ask, yes.

However, it should also lead to asking "why would you want to answer DNS queries at all for some client, if you've decided you want to block some types of queries?"  If whoever it is making the DNS requests is a valid user of the nameserver, then you probably ought to figure out what's going on by talking with them before simply breaking things.  If the queries aren't from a valid user, consider not answering any of queries, rather than just blocking some.

If the intent is to mitigate a DDOS/amplification attack but still allow public access to the nameserver, well, rate limiting queries seems to be a much more appropriate solution than blocking type=any.

Regards,
-- 
-Chuck




More information about the bind-users mailing list