

Standard way for Authoratitive DNS servers to refuse ANY query - jgrahamc
https://tools.ietf.org/html/draft-ogud-dnsop-any-notimp-00

======
tptacek
Short back-story: the ANY query type returns every record matching a name
regardless of its record type; it's a kind of wildcard query.

That would be innocuous, except that it's a way to send a very small UDP
packet to a DNS server and generate a very large UDP packet in response. Since
UDP is easily spoofed, attackers can use ANY to amplify DDOS attacks. It's
painfully effective in practice.

So far as I can tell, no normal part of the DNS process ever relies on ANY
queries; there isn't a thing your browser or OS or SSH or access point does
that ever calls for a "give me every regard regardless of its type" query.

From TFA:

 _As there is no good reason for applications to ever issue an ANY query this
document codifies how an authoritative server can reject such queries._

This raised my eyebrow, because the standard argument DNSSEC apologists have
for that (terrible) protocol's in-built DDOS reflection capability is that DNS
also inescapably has that property due to ANY.

I've tried arguing that ANY is pointless and filter-able, to little avail.
It's good to see Gudmundsson, an unimpeachable IETF authority, saying the same
thing: ANY queries are bad, and not a fundamental part of the DNS service
model.

~~~
mct
I wish I had time to cite a reference, but my memory is that an ANY query is
not guaranteed to return all RRs, anyway. Running a quick experiment against
bind 9.8.4 (as packaged in Debian stable), I can confirm that:

* When no entry already exists in the cache, bind will forward the ANY query to an authoritative server and return the result.

* When some information is already present in the cache, bind will return only the information already cached, without querying more information from an authoritative server

Thus, if you need to know if a specific RR exists, you must query for that
specific RR.

Still, to aid humans in debugging DNS problems, a nice compromise might be to
allow ANY queries only over TCP. That would alleviate the spoofing problem.

~~~
axaxs
Yes, this is why implementers trying to tackle this often just return TC.
Changing the implementation or not allowing ANY queries at all breaks things,
qmail for one iirc.

~~~
munta
The result of an ANY query is cache dependant. Software that relies on ANY
queries is likely subtly broken already.

------
axaxs
I know this is a draft, but it would seem the authors are not taking this very
seriously. It has numerous mistakes and is written almost sarcastically
tersely.

Further, expecting recursive resolvers to do anything at all is an uphill
battle. A lot of the reason DNS moves at a 'glacial phase' is that millions of
DNS servers exist in all forms and ages. Changes can and do 'break the
internet' for folks.

I don't understand why they just don't return TC and call it done.

