Allow-Query=any

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Allow-Query=any

mejaz

 

Hello,

 

 

How to control from the DNS bind “Query type Any” such as. If someone does look up with query type =any, results will display the SOA section, mail and Name server information, which I don’t want display all info.. only specific information

 

 

Thanks in advance for the support…

 

Ejaz

 


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Allow-Query=any

Peter Rathlev
Hi Ejaz,

On Thu, 2016-01-07 at 09:56 +0300, Ejaz wrote:
> How to control from the DNS bind “Query type Any” such as. If someone
> does look up with query type =any, results will display the SOA
> section, mail and Name server information, which I don’t want display
> all info.. only specific information

The "any" query doesn't return anything that couldn't also be queried
seperately. SOA and NS records are part of how DNS works and thus
necessary. If you don't want to serve MX records then just don't
include them in the zone. :-)

What exactly don't you want to display? If you state why then people
might have others ways for you to acheive what you want.

-- 
Peter Rathlev
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Allow-Query=any

Matus UHLAR - fantomas
In reply to this post by mejaz
On 07.01.16 09:56, Ejaz wrote:
>How to control from the DNS bind "Query type Any" such as. If someone does
>look up with query type =any, results will display the SOA section, mail and
>Name server information, which I don't want display all info.. only specific
>information

so, instead of providing type "ANY" you want people to flood your server
with multiple queries for type?

if you have problems, response rate limiting should be better solution.

...I received spam from comnpany with NS hosted at cloudflare that refuses ANY
query. I am considering ignoring such domains.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Allow-Query=any

Reindl Harald
In reply to this post by mejaz


Am 07.01.2016 um 07:56 schrieb Ejaz:
> How to control from the DNS bind “Query type Any” such as. If someone
> does look up with query type =any, results will display the SOA section,
> mail and Name server information, which I don’t want display all info..
> only specific information

while what you want makes *zero* sense because you can not hide
mandatory infos with "minimal-responses yes;" the responses are way
shorter and DNS traffic goes down by around 20% on a auth nameserver
because the stripped "ADDITIONAL SECTION"

as already explained: when somebody wants a information which exists in
the DNS he can ask for that information - unconditionally



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Allow-Query=any

G.W. Haywood
In reply to this post by mejaz
Hi there,

On Thu, 7 Jan 2016, Reindl Harald wrote:

> ... when somebody wants a information which exists in
> the DNS he can ask for that information - unconditionally

laptop3:~$ >>> dig -t any lloyds.co.uk

; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> -t any lloyds.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21502
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;lloyds.co.uk.                  IN      ANY

;; ANSWER SECTION:
lloyds.co.uk.           3789    IN      HINFO   "Please stop asking for ANY" "See draft-jabley-dnsop-refuse-any"
lloyds.co.uk.           137094  IN      NS      dina.ns.cloudflare.com.
lloyds.co.uk.           137094  IN      NS      matt.ns.cloudflare.com.

;; AUTHORITY SECTION:
lloyds.co.uk.           137094  IN      NS      matt.ns.cloudflare.com.
lloyds.co.uk.           137094  IN      NS      dina.ns.cloudflare.com.

;; Query time: 54 msec
;; SERVER: 192.168.44.72#53(192.168.44.72)
;; WHEN: Thu Jan 07 20:17:18 GMT 2016
;; MSG SIZE  rcvd: 197

--

73,
Ged.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Allow-Query=any

Reindl Harald


Am 07.01.2016 um 21:18 schrieb G.W. Haywood:
> Hi there,
>
> On Thu, 7 Jan 2016, Reindl Harald wrote:
>
>> ... when somebody wants a information which exists in
>> the DNS he can ask for that information - unconditionally

you don't get it

if i want to ask for your SOA or NS-records then i ask for them

there is *NO POINT* you can prohibit that unless you need a working
nameserver and the only thing you *could* achieve is that i need more
queries than normally needed raising the load on your own namesever

what would happen if you can achieve it:

* in the best case no difference
* in the worst case broken clients and degraded service

prohibit things just for the sake of prohibit them is clueless,
dangerous and unless you have a *real good* reason for your goal you
should ask yourself if you *really* have the knowledge to maintain
public nameservers - sorry - impossible to say that more polite

> laptop3:~$ >>> dig -t any lloyds.co.uk

tells me that there is another clueless idiot degrading services as it
often happens - the larger the comapny the more foolish admins

WHAT do the gain with it?
NOTHING

> ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> -t any lloyds.co.uk
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21502
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;lloyds.co.uk.                  IN      ANY
>
> ;; ANSWER SECTION:
> lloyds.co.uk.           3789    IN      HINFO   "Please stop asking for
> ANY" "See draft-jabley-dnsop-refuse-any"
> lloyds.co.uk.           137094  IN      NS      dina.ns.cloudflare.com.
> lloyds.co.uk.           137094  IN      NS      matt.ns.cloudflare.com.
>
> ;; AUTHORITY SECTION:
> lloyds.co.uk.           137094  IN      NS      matt.ns.cloudflare.com.
> lloyds.co.uk.           137094  IN      NS      dina.ns.cloudflare.com.
>
> ;; Query time: 54 msec
> ;; SERVER: 192.168.44.72#53(192.168.44.72)
> ;; WHEN: Thu Jan 07 20:17:18 GMT 2016
> ;; MSG SIZE  rcvd: 197

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Allow-Query=any

Warren Kumari


On Thu, Jan 7, 2016 at 3:25 PM Reindl Harald <[hidden email]> wrote:


Am 07.01.2016 um 21:18 schrieb G.W. Haywood:
> Hi there,
>
> On Thu, 7 Jan 2016, Reindl Harald wrote:
>
>> ... when somebody wants a information which exists in
>> the DNS he can ask for that information - unconditionally

you don't get it

if i want to ask for your SOA or NS-records then i ask for them

there is *NO POINT* you can prohibit that unless you need a working
nameserver and the only thing you *could* achieve is that i need more
queries than normally needed raising the load on your own namesever

what would happen if you can achieve it:

* in the best case no difference
* in the worst case broken clients and degraded service

prohibit things just for the sake of prohibit them is clueless,
dangerous and unless you have a *real good* reason for your goal you
should ask yourself if you *really* have the knowledge to maintain
public nameservers - sorry - impossible to say that more polite

> laptop3:~$ >>> dig -t any lloyds.co.uk

tells me that there is another clueless idiot degrading services as it
often happens - the larger the comapny the more foolish admins

WHAT do the gain with it?
NOTHING


Reindl, did you read the draft referred to in the HINFO? ( https://datatracker.ietf.org/doc/draft-ietf-dnsop-refuse-any/ ). It clearly outlines the reasons that cloudfare is doing this. This document was discussed in the DNSOP WG, and was presented at a few meetings.
The consensus within the DNSOP WG was to adopt and work on the draft, so I object to your characterization of this as "another clueless idiot degrading services" at a large company.
Olafur and Joe (the authors of this) are far from clueless idiots. 
In addition, please try to moderate your tone - people come to the BIND Users list for assistance - your argumentative (and often insulting) posts are not helpful to building a community.

W

 
> ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> -t any lloyds.co.uk
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21502
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;lloyds.co.uk.                  IN      ANY
>
> ;; ANSWER SECTION:
> lloyds.co.uk.           3789    IN      HINFO   "Please stop asking for
> ANY" "See draft-jabley-dnsop-refuse-any"
> lloyds.co.uk.           137094  IN      NS      dina.ns.cloudflare.com.
> lloyds.co.uk.           137094  IN      NS      matt.ns.cloudflare.com.
>
> ;; AUTHORITY SECTION:
> lloyds.co.uk.           137094  IN      NS      matt.ns.cloudflare.com.
> lloyds.co.uk.           137094  IN      NS      dina.ns.cloudflare.com.
>
> ;; Query time: 54 msec
> ;; SERVER: 192.168.44.72#53(192.168.44.72)
> ;; WHEN: Thu Jan 07 20:17:18 GMT 2016
> ;; MSG SIZE  rcvd: 197

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Allow-Query=any

Reindl Harald

Am 07.01.2016 um 22:31 schrieb Warren Kumari:

> Reindl, did you read the draft referred to in the HINFO? (
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-refuse-any/ ). It
> clearly outlines the reasons that cloudfare is doing this. This document
> was discussed in the DNSOP WG, and was presented at a few meetings.
> The consensus within the DNSOP WG was to adopt and work on the draft, so
> I object to your characterization of this as "another clueless idiot
> degrading services" at a large company.
> Olafur and Joe (the authors of this) are far from clueless idiots.
> In addition, please try to moderate your tone - people come to the BIND
> Users list for assistance - your argumentative (and often insulting)
> posts are not helpful to building a community
i did read and understand the reasoning long before this thread as i
also had the RRL patches in production long before they went to stable
releases
http://www.tummy.com/blogs/2013/02/20/bindrrl-patched-rpms-available/

with RRL and "minimal-responses yes;" the response size/impact of a ANY
query is very limited while that is a completly different reasoning than
"I don't want display all info"


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Allow-Query=any

Robert Edmonds
In reply to this post by Warren Kumari
Warren Kumari wrote:
> Olafur and Joe (the authors of this) are far from clueless idiots.

+1

> In addition, please try to moderate your tone - people come to the BIND
> Users list for assistance - your argumentative (and often insulting) posts
> are not helpful to building a community.

+1

--
Robert Edmonds
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Allow-Query=any

Kevin Darcy
In reply to this post by Reindl Harald
I do find it a little ironic that the HINFO RDATA shown earlier in the thread, references the "refuse-any" draft, yet, in the selfsame RDATA, violates one of the "SHOULD"s of the draft:

"The OS field of the HINFO RDATA SHOULD be set to the null string to minimise the size of the response."

Kind of sends a mixed message, don't you think?

                                                                        - Kevin

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Reindl Harald
Sent: Thursday, January 07, 2016 4:41 PM
To: [hidden email]
Subject: Re: Allow-Query=any


Am 07.01.2016 um 22:31 schrieb Warren Kumari:

> Reindl, did you read the draft referred to in the HINFO? (
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-refuse-any/ ). It
> clearly outlines the reasons that cloudfare is doing this. This
> document was discussed in the DNSOP WG, and was presented at a few meetings.
> The consensus within the DNSOP WG was to adopt and work on the draft,
> so I object to your characterization of this as "another clueless
> idiot degrading services" at a large company.
> Olafur and Joe (the authors of this) are far from clueless idiots.
> In addition, please try to moderate your tone - people come to the
> BIND Users list for assistance - your argumentative (and often
> insulting) posts are not helpful to building a community

i did read and understand the reasoning long before this thread as i also had the RRL patches in production long before they went to stable releases http://www.tummy.com/blogs/2013/02/20/bindrrl-patched-rpms-available/

with RRL and "minimal-responses yes;" the response size/impact of a ANY query is very limited while that is a completly different reasoning than "I don't want display all info"

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Allow-Query=any

Warren Kumari
Yah, I guess it does kinda :-)
I seem to remember Olafur or Marek admitted that including the text was an ugly, temporary kludge, and provided some "cover" so that is was more clear that this was the intended behavior, and not that e.g they had just not fully implemented ANY (as many DNS load-balancers / middleboxes seem to do). Once this becomes common practice the HINFO can go to null.

Personally I think that they should have instead:
A: inserted naughty limericks or
B: sold this space off as advertising space.

W
DISCLAIMER: B is a joke... although.... huh.... 



On Thu, Jan 7, 2016 at 5:05 PM Darcy Kevin (FCA) <[hidden email]> wrote:
I do find it a little ironic that the HINFO RDATA shown earlier in the thread, references the "refuse-any" draft, yet, in the selfsame RDATA, violates one of the "SHOULD"s of the draft:

"The OS field of the HINFO RDATA SHOULD be set to the null string to minimise the size of the response."

Kind of sends a mixed message, don't you think?

                                                                        - Kevin

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Reindl Harald
Sent: Thursday, January 07, 2016 4:41 PM
To: [hidden email]
Subject: Re: Allow-Query=any


Am 07.01.2016 um 22:31 schrieb Warren Kumari:
> Reindl, did you read the draft referred to in the HINFO? (
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-refuse-any/ ). It
> clearly outlines the reasons that cloudfare is doing this. This
> document was discussed in the DNSOP WG, and was presented at a few meetings.
> The consensus within the DNSOP WG was to adopt and work on the draft,
> so I object to your characterization of this as "another clueless
> idiot degrading services" at a large company.
> Olafur and Joe (the authors of this) are far from clueless idiots.
> In addition, please try to moderate your tone - people come to the
> BIND Users list for assistance - your argumentative (and often
> insulting) posts are not helpful to building a community

i did read and understand the reasoning long before this thread as i also had the RRL patches in production long before they went to stable releases http://www.tummy.com/blogs/2013/02/20/bindrrl-patched-rpms-available/

with RRL and "minimal-responses yes;" the response size/impact of a ANY query is very limited while that is a completly different reasoning than "I don't want display all info"

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users