From 0bebf8ee9d729a6e623cc16a8e08d40442073197 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Wed, 28 Jan 2026 15:04:58 +0100 Subject: [PATCH] Enable minimal ANY answers by default ANY queries are widely abused by attackers doing reflection attacks as they return the largest answers. Enable minimal ANY answers by default to reduce the attack surface of the DNS servers. --- bin/include/defaultconfig.h | 2 +- bin/tests/system/digdelv/ns2/named.conf.j2 | 1 + bin/tests/system/digdelv/ns3/named.conf.j2 | 1 + bin/tests/system/dnssec/ns1/named.conf.j2 | 2 ++ bin/tests/system/dnssec/ns2/named.conf.j2 | 3 ++- bin/tests/system/dnssec/ns3/named.conf.j2 | 3 ++- bin/tests/system/dnssec/ns4/named.conf.j2 | 3 ++- bin/tests/system/dnssec/ns5/named.conf.j2 | 1 + bin/tests/system/dnssec/ns6/named.conf.j2 | 1 + bin/tests/system/dnssec/ns9/named.conf.j2 | 1 + bin/tests/system/resolver/ns1/named.conf.j2 | 1 + bin/tests/system/resolver/ns11/named.conf.j2 | 1 + bin/tests/system/resolver/ns4/named.conf.j2 | 1 + bin/tests/system/resolver/ns5/named.conf.j2 | 1 + bin/tests/system/resolver/ns6/named.conf.j2 | 1 + bin/tests/system/resolver/ns7/named.conf.j2 | 1 + bin/tests/system/resolver/ns9/named.conf.j2 | 1 + bin/tests/system/rpz/ns1/named.conf.j2 | 1 + bin/tests/system/rpz/ns10/named.conf.j2 | 1 + bin/tests/system/rpz/ns2/named.conf.j2 | 1 + bin/tests/system/rpz/ns3/named.conf.j2 | 1 + bin/tests/system/rpz/ns4/named.conf.j2 | 1 + bin/tests/system/rpz/ns5/named.conf.j2 | 1 + bin/tests/system/rpz/ns6/named.conf.j2 | 1 + bin/tests/system/rpz/ns7/named.conf.j2 | 1 + bin/tests/system/rpz/ns8/named.conf.j2 | 1 + bin/tests/system/rpz/ns9/named.conf.j2 | 1 + bin/tests/system/rpzextra/ns2/named.conf.j2 | 1 + bin/tests/system/rpzextra/ns3/named.conf.j2 | 1 + doc/arm/reference.rst | 2 +- 30 files changed, 34 insertions(+), 5 deletions(-) diff --git a/bin/include/defaultconfig.h b/bin/include/defaultconfig.h index fb1ede220c..c92aeaea05 100644 --- a/bin/include/defaultconfig.h +++ b/bin/include/defaultconfig.h @@ -154,7 +154,7 @@ options {\n\ message-compression yes;\n\ min-ncache-ttl 0; /* 0 hours */\n\ min-cache-ttl 0; /* 0 seconds */\n\ - minimal-any false;\n\ + minimal-any yes;\n\ minimal-responses no-auth-recursive;\n\ notify-source *;\n\ notify-source-v6 *;\n\ diff --git a/bin/tests/system/digdelv/ns2/named.conf.j2 b/bin/tests/system/digdelv/ns2/named.conf.j2 index 47b0449ffb..07a6228ac1 100644 --- a/bin/tests/system/digdelv/ns2/named.conf.j2 +++ b/bin/tests/system/digdelv/ns2/named.conf.j2 @@ -21,6 +21,7 @@ options { listen-on-v6 { fd92:7065:b8e:ffff::2; }; recursion no; dnssec-validation no; + minimal-any no; }; zone "." { diff --git a/bin/tests/system/digdelv/ns3/named.conf.j2 b/bin/tests/system/digdelv/ns3/named.conf.j2 index 90a3fa3066..4105ada269 100644 --- a/bin/tests/system/digdelv/ns3/named.conf.j2 +++ b/bin/tests/system/digdelv/ns3/named.conf.j2 @@ -20,6 +20,7 @@ options { recursion yes; dnssec-validation no; server-id "ns3"; + minimal-any no; }; zone "." { diff --git a/bin/tests/system/dnssec/ns1/named.conf.j2 b/bin/tests/system/dnssec/ns1/named.conf.j2 index bd1ccc4081..f78cc0acd6 100644 --- a/bin/tests/system/dnssec/ns1/named.conf.j2 +++ b/bin/tests/system/dnssec/ns1/named.conf.j2 @@ -21,6 +21,8 @@ options { pid-file "named.pid"; listen-on { 10.53.0.1; }; listen-on-v6 { none; }; + minimal-any no; + minimal-responses no; recursion no; notify yes; dnssec-validation yes; diff --git a/bin/tests/system/dnssec/ns2/named.conf.j2 b/bin/tests/system/dnssec/ns2/named.conf.j2 index 8507c768f0..7594ba276f 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.j2 +++ b/bin/tests/system/dnssec/ns2/named.conf.j2 @@ -22,11 +22,12 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; allow-transfer { any; }; + minimal-any no; + minimal-responses no; recursion no; notify yes; dnssec-validation yes; notify-delay 1; - minimal-responses no; }; key rndc_key { diff --git a/bin/tests/system/dnssec/ns3/named.conf.j2 b/bin/tests/system/dnssec/ns3/named.conf.j2 index 9cbc58892c..286a3f589a 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.j2 +++ b/bin/tests/system/dnssec/ns3/named.conf.j2 @@ -24,11 +24,12 @@ options { listen-on { 10.53.0.3; }; listen-on-v6 { none; }; allow-transfer { any; }; + minimal-any no; + minimal-responses no; recursion no; notify yes; dnssec-validation yes; session-keyfile "session.key"; - minimal-responses no; }; key rndc_key { diff --git a/bin/tests/system/dnssec/ns4/named.conf.j2 b/bin/tests/system/dnssec/ns4/named.conf.j2 index b4aa86146a..91e2e7d953 100644 --- a/bin/tests/system/dnssec/ns4/named.conf.j2 +++ b/bin/tests/system/dnssec/ns4/named.conf.j2 @@ -26,8 +26,9 @@ options { pid-file "named.pid"; listen-on { 10.53.0.4; }; listen-on-v6 { none; }; - recursion yes; + minimal-any no; minimal-responses no; + recursion yes; {% if accept_expired %} dnssec-accept-expired yes; diff --git a/bin/tests/system/dnssec/ns5/named.conf.j2 b/bin/tests/system/dnssec/ns5/named.conf.j2 index a0332d9d6f..5429d021fa 100644 --- a/bin/tests/system/dnssec/ns5/named.conf.j2 +++ b/bin/tests/system/dnssec/ns5/named.conf.j2 @@ -24,6 +24,7 @@ options { pid-file "named.pid"; listen-on { 10.53.0.5; 127.0.0.1; }; listen-on-v6 { none; }; + minimal-any no; recursion yes; minimal-responses no; servfail-ttl 0; diff --git a/bin/tests/system/dnssec/ns6/named.conf.j2 b/bin/tests/system/dnssec/ns6/named.conf.j2 index c3c0da6e44..2fb2cf5413 100644 --- a/bin/tests/system/dnssec/ns6/named.conf.j2 +++ b/bin/tests/system/dnssec/ns6/named.conf.j2 @@ -21,6 +21,7 @@ options { pid-file "named.pid"; listen-on { 10.53.0.6; }; listen-on-v6 { none; }; + minimal-any no; recursion yes; notify yes; disable-algorithms . { @ALTERNATIVE_ALGORITHM@; }; diff --git a/bin/tests/system/dnssec/ns9/named.conf.j2 b/bin/tests/system/dnssec/ns9/named.conf.j2 index 2a335b5a9f..c69135f92d 100644 --- a/bin/tests/system/dnssec/ns9/named.conf.j2 +++ b/bin/tests/system/dnssec/ns9/named.conf.j2 @@ -23,6 +23,7 @@ options { pid-file "named.pid"; listen-on { 10.53.0.9; }; listen-on-v6 { none; }; + minimal-any no; recursion yes; dnssec-validation yes; forward only; diff --git a/bin/tests/system/resolver/ns1/named.conf.j2 b/bin/tests/system/resolver/ns1/named.conf.j2 index 2bb2ce1f86..26a8ce72f6 100644 --- a/bin/tests/system/resolver/ns1/named.conf.j2 +++ b/bin/tests/system/resolver/ns1/named.conf.j2 @@ -32,6 +32,7 @@ options { attach-cache "globalcache"; max-recursion-queries 100; request-zoneversion yes; + minimal-any no; }; diff --git a/bin/tests/system/resolver/ns11/named.conf.j2 b/bin/tests/system/resolver/ns11/named.conf.j2 index 14ed048629..b6dba3be70 100644 --- a/bin/tests/system/resolver/ns11/named.conf.j2 +++ b/bin/tests/system/resolver/ns11/named.conf.j2 @@ -21,4 +21,5 @@ options { listen-on-v6 { none; }; recursion no; dnssec-validation no; + minimal-any no; }; diff --git a/bin/tests/system/resolver/ns4/named.conf.j2 b/bin/tests/system/resolver/ns4/named.conf.j2 index 67cbee8870..38b24d64c5 100644 --- a/bin/tests/system/resolver/ns4/named.conf.j2 +++ b/bin/tests/system/resolver/ns4/named.conf.j2 @@ -23,6 +23,7 @@ options { listen-on-v6 { none; }; recursion no; dnssec-validation no; + minimal-any no; }; zone "." { diff --git a/bin/tests/system/resolver/ns5/named.conf.j2 b/bin/tests/system/resolver/ns5/named.conf.j2 index 21c5fe8735..47fa54dc2f 100644 --- a/bin/tests/system/resolver/ns5/named.conf.j2 +++ b/bin/tests/system/resolver/ns5/named.conf.j2 @@ -28,6 +28,7 @@ options { responselog yes; request-nsid yes; request-zoneversion yes; + minimal-any no; }; // Don't break tests which depend on ans10 by requesting diff --git a/bin/tests/system/resolver/ns6/named.conf.j2 b/bin/tests/system/resolver/ns6/named.conf.j2 index 34552af1b7..19c2da9587 100644 --- a/bin/tests/system/resolver/ns6/named.conf.j2 +++ b/bin/tests/system/resolver/ns6/named.conf.j2 @@ -27,6 +27,7 @@ options { statistics-file "named.stats"; max-udp-size 4096; responselog no; + minimal-any no; }; zone "." { diff --git a/bin/tests/system/resolver/ns7/named.conf.j2 b/bin/tests/system/resolver/ns7/named.conf.j2 index b9938520d6..9ae4fcfb9e 100644 --- a/bin/tests/system/resolver/ns7/named.conf.j2 +++ b/bin/tests/system/resolver/ns7/named.conf.j2 @@ -32,6 +32,7 @@ options { prefetch 0; querylog yes; edns-udp-size 4096; + minimal-any no; }; diff --git a/bin/tests/system/resolver/ns9/named.conf.j2 b/bin/tests/system/resolver/ns9/named.conf.j2 index c1e79febec..af61088eaf 100644 --- a/bin/tests/system/resolver/ns9/named.conf.j2 +++ b/bin/tests/system/resolver/ns9/named.conf.j2 @@ -23,6 +23,7 @@ options { dnssec-validation no; dual-stack-servers { fd92:7065:b8e:ffff::7; }; qname-minimization off; + minimal-any no; }; diff --git a/bin/tests/system/rpz/ns1/named.conf.j2 b/bin/tests/system/rpz/ns1/named.conf.j2 index e7af61d073..55e5b60719 100644 --- a/bin/tests/system/rpz/ns1/named.conf.j2 +++ b/bin/tests/system/rpz/ns1/named.conf.j2 @@ -22,6 +22,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; notify no; + minimal-any no; minimal-responses no; dnssec-validation no; }; diff --git a/bin/tests/system/rpz/ns10/named.conf.j2 b/bin/tests/system/rpz/ns10/named.conf.j2 index 2cbb6ee838..89fe12fc3b 100644 --- a/bin/tests/system/rpz/ns10/named.conf.j2 +++ b/bin/tests/system/rpz/ns10/named.conf.j2 @@ -22,6 +22,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; notify no; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation yes; diff --git a/bin/tests/system/rpz/ns2/named.conf.j2 b/bin/tests/system/rpz/ns2/named.conf.j2 index 617edd9e9d..633d2f437b 100644 --- a/bin/tests/system/rpz/ns2/named.conf.j2 +++ b/bin/tests/system/rpz/ns2/named.conf.j2 @@ -22,6 +22,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; notify no; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation yes; diff --git a/bin/tests/system/rpz/ns3/named.conf.j2 b/bin/tests/system/rpz/ns3/named.conf.j2 index 2f8879b081..3e8bce35ed 100644 --- a/bin/tests/system/rpz/ns3/named.conf.j2 +++ b/bin/tests/system/rpz/ns3/named.conf.j2 @@ -29,6 +29,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; notify yes; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation no; diff --git a/bin/tests/system/rpz/ns4/named.conf.j2 b/bin/tests/system/rpz/ns4/named.conf.j2 index a5ef523ced..0f37c97db4 100644 --- a/bin/tests/system/rpz/ns4/named.conf.j2 +++ b/bin/tests/system/rpz/ns4/named.conf.j2 @@ -22,6 +22,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; notify no; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation yes; diff --git a/bin/tests/system/rpz/ns5/named.conf.j2 b/bin/tests/system/rpz/ns5/named.conf.j2 index e1a727f0df..441da7e156 100644 --- a/bin/tests/system/rpz/ns5/named.conf.j2 +++ b/bin/tests/system/rpz/ns5/named.conf.j2 @@ -29,6 +29,7 @@ options { ixfr-from-differences yes; notify-delay 0; notify yes; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation yes; diff --git a/bin/tests/system/rpz/ns6/named.conf.j2 b/bin/tests/system/rpz/ns6/named.conf.j2 index 01497b2058..29fa84820d 100644 --- a/bin/tests/system/rpz/ns6/named.conf.j2 +++ b/bin/tests/system/rpz/ns6/named.conf.j2 @@ -24,6 +24,7 @@ options { allow-transfer { any; }; forward only; forwarders { 10.53.0.3; }; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation yes; diff --git a/bin/tests/system/rpz/ns7/named.conf.j2 b/bin/tests/system/rpz/ns7/named.conf.j2 index b648abd145..f48edead00 100644 --- a/bin/tests/system/rpz/ns7/named.conf.j2 +++ b/bin/tests/system/rpz/ns7/named.conf.j2 @@ -22,6 +22,7 @@ options { listen-on { 10.53.0.7; }; listen-on-v6 { none; }; allow-transfer { any; }; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation yes; diff --git a/bin/tests/system/rpz/ns8/named.conf.j2 b/bin/tests/system/rpz/ns8/named.conf.j2 index ef6bc3f795..574c84ab70 100644 --- a/bin/tests/system/rpz/ns8/named.conf.j2 +++ b/bin/tests/system/rpz/ns8/named.conf.j2 @@ -27,6 +27,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; notify yes; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation no; diff --git a/bin/tests/system/rpz/ns9/named.conf.j2 b/bin/tests/system/rpz/ns9/named.conf.j2 index b26129d1db..0c747d45aa 100644 --- a/bin/tests/system/rpz/ns9/named.conf.j2 +++ b/bin/tests/system/rpz/ns9/named.conf.j2 @@ -27,6 +27,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; notify yes; + minimal-any no; minimal-responses no; recursion yes; dnssec-validation no; diff --git a/bin/tests/system/rpzextra/ns2/named.conf.j2 b/bin/tests/system/rpzextra/ns2/named.conf.j2 index 6317563dc9..5ad99a4ad9 100644 --- a/bin/tests/system/rpzextra/ns2/named.conf.j2 +++ b/bin/tests/system/rpzextra/ns2/named.conf.j2 @@ -30,6 +30,7 @@ options { notify no; dnssec-validation no; allow-query { any; }; + minimal-any no; }; zone "allowed" { diff --git a/bin/tests/system/rpzextra/ns3/named.conf.j2 b/bin/tests/system/rpzextra/ns3/named.conf.j2 index cd459bcda6..ba47746100 100644 --- a/bin/tests/system/rpzextra/ns3/named.conf.j2 +++ b/bin/tests/system/rpzextra/ns3/named.conf.j2 @@ -30,6 +30,7 @@ options { notify no; dnssec-validation no; allow-query { any; }; + minimal-any no; recursion yes; allow-recursion { any; }; empty-zones-enable false; diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index d9061215c5..6e14b12959 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -2093,7 +2093,7 @@ Boolean Options necessarily the smallest available RRset.) Additionally, :any:`minimal-responses` is turned on for these queries, so no unnecessary records are added to the authority or additional - sections. The default is ``no``. + sections. The default is ``yes``. .. namedconf:statement:: notify :tags: transfer