Getting "query failed (REFUSED) for ./IN/ANY"

Wed, 13 Jan 2021 01:27:21 -0800 

Hi,

I'm getting lots of log lines like the following:

Jan 12 04:35:18 30 north named[22233]: client @0x7fe0fc2a3b80 74.74.74.8#24048 
(.): view external: query failed (REFUSED) for ./IN/ANY at 
../../../bin/named/query.c:7144
Jan 12 04:35:18 30 north named[22233]: client @0x7fe0fc2784d0 74.74.74.8#24048 
(.): view external: query failed (REFUSED) for ./IN/ANY at 
../../../bin/named/query.c:7144
Jan 12 04:35:27 30 north named[22233]: client @0x7fe0fc2953f0 74.74.74.8#57620 
(.): view external: query failed (REFUSED) for ./IN/ANY at 
../../../bin/named/query.c:7144

Is that meant to be a DoS attack?

Yesterday I got 42639 of those, from 41 different IPs, the most frequent 
clients looking like so:
821-north:~$ sed -rn 's/^.{15} 30 north named[^:]*: client @0x[0-91-f]* 
([0-9.]*)#[0-9]* ...: view external: query failed .REFUSED. for ..IN.ANY at 
.........bin.named.query.c:7144/\1/p' < /var/log/daemon.log.0 |sort |uniq -c 
|sort -rn |head
   4957 68.42.225.19
   2914 73.73.73.73
   2868 24.21.125.251
   2783 193.70.81.112
   2440 73.73.3.73
   2273 101.71.138.9
   2032 74.74.74.8
   1814 98.25.235.45
   1785 209.94.134.20
   1756 73.109.143.81

I looked up some of these on AbuseIPDB, and I see there are a few people 
reporting them for the same DDoS.

Are the queries refused because of the dot (.)?  In the query log, I also found 
some 28 IN ANY queries from 7 IPs for xxx.at.fragolina.it, which probably got 
away with a NXDOMAIN.

This morning, queries for IN ANY are filling up a 63% of total queries.  Named 
seems to be pretty quick at discarding them.  I'm wondering whether it takes 
more resources to track and firewall those IPs or just ignore them.

I'd be also curious of what they are after.  Is there a protest against RFC 
8482?  It looks pretty nonsensical.  Any insight?


Best
Ale
--















_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to