Block "ANY" requests

jaykepeters · February 26, 2019, 2:26am

Is there a way to block ANY type requests?

jfb · February 26, 2019, 2:30am

What information returned in an ANY request constitutes a security vulnerability?

pi@Pi-3B-DEV:~ $ dig -t any jaykepeters.com

; <<>> DiG 9.10.3-P4-Raspbian <<>> -t any jaykepeters.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59939
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;jaykepeters.com.		IN	ANY

;; ANSWER SECTION:
jaykepeters.com.	3789	IN	HINFO	"ANY obsoleted" "See draft-ietf-dnsop-refuse-any"
jaykepeters.com.	3789	IN	RRSIG	HINFO 13 2 3789 20190227033126 20190225013126 34505 jaykepeters.com. mgETVijVnKqwSK440zre9BxaBQgSFZZe7gz/kACDWpBypoo5shPtV3GF 7hQw90afuZ+f1rninz2ddm8qv2vBaA==

;; Query time: 129 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 25 20:31:26 CST 2019
;; MSG SIZE  rcvd: 213

jaykepeters · February 26, 2019, 6:04pm

Returning all records

jfb · February 27, 2019, 1:51am

I'm not following how returning all records creates a security vulnerability. The dig -t any is a valid internet domain request.

Why should Pi-Hole block a valid DNS request?

jaykepeters · February 27, 2019, 5:00am

Because ANY should be deprecated soon.
https://datatracker.ietf.org/doc/rfc8482/

Many people run recursive resolvers and also it can be used for Dos attacks

jaykepeters · February 27, 2019, 5:05am

This has been done in BIND. Can it be done in Dnsmasq/FTL? See here
https://fanf.livejournal.com/140566.html

DanSchaper · February 27, 2019, 5:20am

We do not support open resolvers. We condemn the practice and make that very clear. Pi-hole is not designed or written to be an open recursive resolver.

jaykepeters · February 27, 2019, 6:01am

But still what about dig ANY? If there were records stored wouldn’t it return all of them? I sure wouldn’t want a rogue or comprised device trying to go places it shouldn’t.

jaykepeters · February 27, 2019, 6:07am

dig @resolver-ip/hostname -t ANY

DanSchaper · February 27, 2019, 11:44am

How would it go places it shouldn't?

DanSchaper · February 27, 2019, 11:49am

This proposal provides a mechanism for an authoritative DNS server to
signal that conventional ANY queries are not supported for a
particular QNAME.

That RFC is in regards to auth name servers, it has nothing to do with recursing name servers.

jaykepeters · March 1, 2019, 4:01am

Dnsmasq could be used as a nameserver, correct? Changes some settings?

DanSchaper · March 1, 2019, 4:08am

Sure, but we use pihole-FTL.

jaykepeters · March 1, 2019, 4:17am

And pi-hole FTL is a customized DNSMASQ? If it is an ad blocker, why would we need the ANY query in the first place? Could it just be removed and the answer replaced with some dummy text? I just think DNS should be coded for worse case scenario, if dns is compromised, users can be at risk such as poisoning, etc. This can happen on any network, both internal and external, as well as with vpn, right? All it takes is one compromised device... IDK, maybe we should just delete this feature request...