Firefox and the mysterious rise of ANY-queries-EN
Because of its use for malicious purposes such as DNS amplification attacks, DNS ANY queries have been debated for a long time.
When a client sends a DNS request with this query type to a name server, it expects that the server replies with every records which it has available for the queried domain. For example, in case we send an ANY query for the domain example.nl we receive among others the A, AAAA and NS records, DNSSEC related information and TXT records. In this case, the total response is 2624 bytes long, which is 26 times longer than a DNS query for a single A record (100 bytes long).This makes ANY queries useful for DNS amplification attacks where an attacker sends many DNS ANY queries with a spoofed source IP address of the victim to DNS servers. The servers will respond with all known DNS records for the queried domain. In the worst case, the victims bandwidth gets exhausted and the victims server is not reachable anymore. Other resource record that have the potential of large amplification are TXT and DNSSEC records.Besides malicious purposes only a few other use-cases for ANY queries are known. In some cases, clients can save TTL by first querying for ANY records . Also, it is useful to verify which records are stored in a cache and a version of qmaild uses ANY queries as well . Thus, usually the share of ANY queries that we see at our name servers is below one percent of the total number of queries.Until Firefox 36.0 was released on February 24.As every other modern browsers, Firefox uses a mechanism called prefetching to resolve domain names which are linked on a website but have not been visited by the user yet. As soon as the user wants to visit one of these pre-fetched domains, the browser does not have to initiate an DNS query anymore. This reduces the time until the new website is loaded. Until Firefox 36.0, the browser only queried for an A record, but starting from the version 36 it also sends additionally an ANY query. Firefox developers argued that this was necessary “because of the particular nuances of hostname resolution APIs” .When the stable version of Firefox 36.0 was released at the end of February, we observed a significant increase in DNS ANY queries at our name servers. It reached its peak at March 5, where ANY queries were responsible for over 1.6 % of the total number of DNS queries.
Share of ANY queries of the total number of queries from February 1 to March 15 (in percent)On the same day, the developers of Firefox released a number of bug-fixes, which removed the additional ANY query . This resulted in a steep decline of DNS ANY queries. The share of ANY queries is now again clearly below 1%.This significant increase is remarkable since until today, Firefox 36 still has a comparatively low market share. At sidn.nl only 13% of the visitors use the latest version of Firefox.CloudFlare decided to stop supporting ANY queries completely. Soon, they will reply to these queries with a NOTIMPL response . They have justified this step with the, in their opinion, lack of meaningful use cases and with the high potential of misuse in DNS amplification attacks of ANY queries.At SIDN, we keep on answering ANY queries. Nevertheless, in order to prevent that our servers become part of such attacks we have already limited the response rate for possible harmful queries like ANY a while ago.However, the recent bug in Firefox raised again doubts whether ANY queries have a reasonable legitimate use-case and how to handle these requests in the future.