Block "ANY" requests


#1

Is there a way to block ANY type requests?


#2

What information returned in an ANY request constitutes a security vulnerability?

pi@Pi-3B-DEV:~ $ dig -t any jaykepeters.com

; <<>> DiG 9.10.3-P4-Raspbian <<>> -t any jaykepeters.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59939
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;jaykepeters.com.		IN	ANY

;; ANSWER SECTION:
jaykepeters.com.	3789	IN	HINFO	"ANY obsoleted" "See draft-ietf-dnsop-refuse-any"
jaykepeters.com.	3789	IN	RRSIG	HINFO 13 2 3789 20190227033126 20190225013126 34505 jaykepeters.com. mgETVijVnKqwSK440zre9BxaBQgSFZZe7gz/kACDWpBypoo5shPtV3GF 7hQw90afuZ+f1rninz2ddm8qv2vBaA==

;; Query time: 129 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 25 20:31:26 CST 2019
;; MSG SIZE  rcvd: 213

#6

Returning all records


#7

I’m not following how returning all records creates a security vulnerability. The dig -t any is a valid internet domain request.

Why should Pi-Hole block a valid DNS request?


#8

Because ANY should be deprecated soon.
https://datatracker.ietf.org/doc/rfc8482/

Many people run recursive resolvers and also it can be used for Dos attacks


#9

This has been done in BIND. Can it be done in Dnsmasq/FTL? See here
https://fanf.livejournal.com/140566.html


#10

We do not support open resolvers. We condemn the practice and make that very clear. Pi-hole is not designed or written to be an open recursive resolver.


#12

But still what about dig ANY? If there were records stored wouldn’t it return all of them? I sure wouldn’t want a rogue or comprised device trying to go places it shouldn’t.


#13

dig @resolver-ip/hostname -t ANY


#14

How would it go places it shouldn’t?


#15

This proposal provides a mechanism for an authoritative DNS server to
signal that conventional ANY queries are not supported for a
particular QNAME.

That RFC is in regards to auth name servers, it has nothing to do with recursing name servers.


#16

Dnsmasq could be used as a nameserver, correct? Changes some settings?


#17

Sure, but we use pihole-FTL.


#18

And pi-hole FTL is a customized DNSMASQ? If it is an ad blocker, why would we need the ANY query in the first place? Could it just be removed and the answer replaced with some dummy text? I just think DNS should be coded for worse case scenario, if dns is compromised, users can be at risk such as poisoning, etc. This can happen on any network, both internal and external, as well as with vpn, right? All it takes is one compromised device… IDK, maybe we should just delete this feature request…