Maintained by: NLnet Labs

refuse ANY queries

Petr Špaček
Fri Aug 25 16:58:53 CEST 2017


On 25.8.2017 15:55, A. Schulze via Unbound-users wrote:
> 
> W.C.A. Wijngaards via Unbound-users:
> 
>> It is enabled by default, and implemented in Unbound 1.5.4.  These are
>> the changelog entries from the download page:
> 
> found: ~unbound-source/service/cache/dns.c, search for 'Fill TYPE_ANY
> response'
> 
> As Petr mentioned, the responses aren't necessary really 'small'
> 
> Any chance, someone implement "4.2.  Synthesised HINFO RRset"
> and let the operator choose 4.1 or 4.2?

BTW it is possible to play nasty tricks and reply with an 'actual' ANY:

local-zone: "example.com." typetransparent
local-data: "example.com. TYPE255 \# 1 00"

I hope such answer will break the botnet we are fighting against!

Have a nice weekend.

-- 
Petr Špaček  @  CZ.NIC