refuse ANY queries

W.C.A. Wijngaards wouter at
Fri Aug 25 11:04:08 UTC 2017

Hi Petr,

It is enabled by default, and implemented in Unbound 1.5.4.  These are
the changelog entries from the download page:

Unbound 1.5.6
- ANY responses include DNAME records if present, as per Evan Hunt's
  remark in dnsop.
Unbound 1.5.4 (9 july 2015)
- Synthesize ANY responses from cache. Does not search exhaustively, but

Best regards, Wouter

On 25/08/17 12:57, Petr Špaček via Unbound-users wrote:
> On 25.8.2017 11:47, W.C.A. Wijngaards via Unbound-users wrote:
>> Hi Petr,
>> Unbound already implements that draft.  Method 4.1, select one (actually
>> a couple) RRsets.  It picks them from cache if they are available there
>> (eg. A record or SOA record) and if no records are in cache, it'll make
>> a query.
> Oh, nice! Is it released already?
> I'm not able to find string "refuse-any" either in
> or in SVN log.
> Curious question: How are these RRsets selected?
> For example domain which is often used for attacks using our
> resolver can produce rather large answers for QTYPE, so returning more
> than one QTYPE might not cut the size down as we would wish.
> Petr Špaček  @  CZ.NIC
>> There may be tricks with local-zones or local-data or python scripting
>> or views.
>> Best regards, Wouter
>> On 25/08/17 11:42, Petr Špaček via Unbound-users wrote:
>>> Hello,
>>> is it possible to use some trick to configure Unbound to refuse ANY queries?
>>> It would be helpful for (intentionally) open recursors before
>>> is implemented.
>>> Thank you for your time.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Unbound-users mailing list