<div dir="ltr"><div dir="ltr">On Tue, Jul 7, 2020 at 2:21 PM Brett Delmage <<a href="mailto:Brett@brettdelmage.ca">Brett@brettdelmage.ca</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Tue, 7 Jul 2020, Tony Finch wrote:<br>
<br>
> Reduce the size of responses to ANY queries, which are a favourite tool of<br>
> amplification attacks. There's basically no downside to this one, in my<br>
> opinion, but I'm biased because I implemented it.<br>
><br>
> minimal-any yes;<br>
<br>
Why only reduce and not eliminate?<br>
<br>
Can ANY responses be disabled completely with an option?<br>
<br>
This article at cloudflare<br>
<a href="https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/" rel="noreferrer" target="_blank">https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/</a><br>
states that they have deprecated it because it wasn't being used. They <br>
should know! This was posted over 5 years ago, in 2015.<br></blockquote><div><br></div><div>Cloudflare themselves now implement the "minimal any" behavior described</div><div>in this spec:</div><div><br></div><div> <a href="https://tools.ietf.org/html/rfc8482">https://tools.ietf.org/html/rfc8482</a></div><div><br></div><div>Responding to ANY with NOTIMP, REFUSED, or unknown RCODEs, or not</div><div>responding at all results in undesirable follow-on behaviour from DNS resolvers</div><div>(mostly aggressive retries).</div><div><br></div><div>Shumon.</div><div><br></div><div>---</div>$ dig @<a href="http://ns1.cloudflare.com">ns1.cloudflare.com</a>. <a href="http://cloudflare.com">cloudflare.com</a>. ANY</div><div class="gmail_quote"><br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54526<br>;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0<br><br>;; QUESTION SECTION:<br>;<a href="http://cloudflare.com">cloudflare.com</a>. IN ANY<br><br>;; ANSWER SECTION:<br><a href="http://cloudflare.com">cloudflare.com</a>. 3789 IN HINFO "RFC8482" ""<br><div><br></div></div></div>