
Deprecating the DNS ANY meta-query type - luu
https://blog.cloudflare.com/deprecating-dns-any-meta-query-type
======
smosher_
> ANY queries are not widely used by any real world software. We aware of only
> two programs that issue ANY queries

Does no one at Cloudflare use dig?

I agree that applications shouldn't be issuing ANY queries¹ under normal
circumstances but without being able to perform these queries in tools like
dig, a lot of sysadmin/support staff time would be wasted. (AXFR isn't a
suitable replacement in this situation because it's disabled or restricted
practically everywhere these days.)

¹especially qmaild, even when fetching only MX records, the bug linked from
the article will appear when there are enough MX records.

~~~
pjungwir
> Does no one at Cloudflare use dig?

Looks like all the comments critical of Cloudflare's decision have been
downvoted! I use ANY with dig (actually usually with nslookup because of my
age) when I set up DNS entries and want to check what records my machine can
see.

~~~
majke
Are you running dig against your recursor or directly against Authoritative
server?

Oh. You said you are running nslookup. Most likely you are running it against
a recursive server in which case ANY gives you what is in cache. So not what
you want.

~~~
pjungwir
You can repoint nslookup with the `server` command which I often do when
checking/debugging. I'd have to look up how to do the same with dig.

~~~
teddyh
dig @server domain.name.example.net ANY

------
teddyh
What’s next? “Deprecating” ping by refusing to answer it? (Oh wait, everybody
already does that.) Maybe the HTTP HEAD request? Or any other protocol than
HTTP, and any other packet type than TCP and UDP?

Standards are good and should be followed for good reasons. They allow for
both diagnostics (is that host down or are ping packets just filtered?) and
the development of new protocols (nope, can’t use SCTP or anything other than
TCP or UDP; they might be filtered).

It seems like Cloudflare just wants ANY to simply go away since it would make
their lives easier. Well, _tough cookies_ , this is the Internet, and here we
obey the standards. The standards do not change just to make your business
model easier. Make your own standard or protocol if DNS is so broken that you
can’t adhere to it.

Also, this: [http://dnsreactions.tumblr.com/post/113952923614/when-
cloudf...](http://dnsreactions.tumblr.com/post/113952923614/when-cloudflare-
tries-to-forbid-any)

~~~
rstupek
Actually if you want to pass most PCI compliance scans, you have to not
respond to HTTP HEAD requests.

~~~
quicksilver03
Have you got a reference for that or it's based on your experience with PCI
scan vendors?

~~~
jlgaddis
It would be in the PCI DSS [0].

[0]:
[https://www.pcisecuritystandards.org/security_standards/docu...](https://www.pcisecuritystandards.org/security_standards/documents.php)

------
fapjacks
Disclaimer: I think this is fucking stupid.

> Unfortunately the most common users of ANY queries in practice are people
> trying to perform DNS reflection attacks, exploiting the unusual length of
> the ANY responses.

This seems like a red herring. I bet there is pure business reasoning behind
this decision. ANY queries are extremely useful for testing and debugging, as
mentioned, and I cannot believe for one second that it's not trivial to
implement something like fail2ban for ANY requests. How hard can it be to
handle denying or dropping queries that are obviously an attack? Cloudflare
can't handle simple reflection attack without tanking the usefulness of the
query? It makes me rethink if Cloudflare is actually as good as it says on the
tin.

~~~
yasth
If you read the article to the end you'll see they say there is indeed a
business case:

> Attempting to handle ANY queries creates enormous complexity in our DNS
> server code base. It's almost impossible to generate a proper response,
> anyway. Consider load-balancing, geoip, CNAME flattening features, and on-
> the-fly answer generation.

It isn't like they are saying no one should ever implement them, just that
they aren't because of low utility in their environment vs relatively high
cost.

~~~
fapjacks
Yes, you're right, but A) Cloudflare is in a position to significantly
influence the behavior of others and B) low utility is not the same thing as
not useful. One of my past lives would have been _enormously_ more difficult
without this specific capability. Generating a useful response also is not
necessarily the same thing as generating a proper response. If there were
something to take the place of ANY queries, I think it wouldn't be so bad.

~~~
toomuchtodo
> If there were something to take the place of ANY queries, I think it
> wouldn't be so bad.

But there are. Make the individual record type calls you need, and failing
that, use a "axfr" transfers if you're permitted to based on IP security
rules.

------
t0mas88
This page consistently crashes Chrome on Android 5.0.1 on my Nexus 5. It
doesn't even get to the "chrome is not responding" screen, it just closes less
than a second after rendering the page.

~~~
aw3c2
Maybe the JS loaded comments? I have had terrible experiences and crashes
thanks for Disqus myself on many sites.

------
_mikz
Looks like Google DNS (8.8.8.8) supports it.

~~~
jtokoph
Cloudflare is running authoritative nameservers whereas Google is running
resolvers (8.8.8.8, etc).

I might argue that resolvers should support the ANY query since they are just
acting as a proxy/cache in front of the authoritative servers.

