[Dnsmasq-discuss] New option --no-ANY
Dominik Derigs
dl6er at dl6er.de
Tue Feb 6 17:00:02 UTC 2024
Hey Simon,
this patch adds a method for deprecating ANY queries (following RFC
8482: Providing Minimal-Sized Responses to DNS Queries That Have
QTYPE=ANY). This conforms to how many of the large scale upstream DNS
providers (Google, Cloudflare to name only a few) are dealing with the
use_less_ness of ANY in general on one hand but the unfortunate
use_full_ness in DNS amplification attacks on the other hand. Another
solution could be only disallowing ANY queries over UDP and forcing
clients to re-try over TCP but - given how useless ANY is - it doesn't
seem worth implementing this more complex path.
The proposed option --no-ANY simply ensures dnsmasq will not add any RRs
for such questions.
We are looking forward to enable it by default in Pi-hole v6.0+ given
this patch is accepted.
Best,
Dominik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-option-no-ANY-providing-minimal-sized-responses-.patch
Type: text/x-patch
Size: 4556 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20240206/5b08a6ec/attachment.bin>
More information about the Dnsmasq-discuss
mailing list