Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make --filter-rr=ANY filter the answer to ANY queries.

Browse Source 
Thanks to Dominik Derigs for an earlier patch which inspired this.
This commit is contained in:
Simon Kelley
2024-02-12 16:14:06 +00:00
parent febeea9d01
commit 3de7289bd6
4 changed files with 33 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
man/dnsmasq.8
View File

@@ -386,7 +386,11 @@ Remove A records from answers. No IPv4 addresses will be returned.
Remove AAAA records from answers. No IPv6 addresses will be returned.
.TP
.B --filter-rr=<rrtype>[,<rrtype>...]
Remove records of the specified type(s) from answers.
Remove records of the specified type(s) from answers. The otherwise-nonsensical --filter-rr=ANY has
a special meaning: it filters replies to queries for type ANY. Everything other than A, AAAA, MX and CNAME
records are removed. Since ANY queries with forged source addresses can be used in DNS amplification attacks
(replies to ANY queries can be large) this defangs such attacks, whilst still supporting the
one remaining possible use of ANY queries. See RFC 8482 para 4.3 for details.
.TP
.B --cache-rr=<rrtype>[,<rrtype>...]
By default, dnsmasq caches A, AAAA, CNAME and SRV DNS record types.