Wednesday, August 5, 2009

Query form disallowed client and unexpected RCODE (SERVFAIL) resolving

SkyHi @ Wednesday, August 05, 2009
Anyway, here's a sample of named.conf

18-Apr-2009 15:07:16.569 unexpected RCODE (SERVFAIL) resolving '155.236.160.65.in-addr.arpa/PTR/IN': 65.160.225.8#53
18-Apr-2009 15:12:35.862 lame server resolving '217.184.124.222.in-addr.arpa' (in '184.124.222.in-addr.arpa'?): 203.130.196.5#53
18-Apr-2009 15:12:36.264 lame server resolving '217.184.124.222.in-addr.arpa' (in '184.124.222.in-addr.arpa'?): 202.134.0.62#53
18-Apr-2009 15:12:46.540 lame server resolving '217.184.124.222.in-addr.arpa' (in '184.124.222.in-addr.arpa'?): 203.130.196.5#53
18-Apr-2009 15:12:46.937 lame server resolving '217.184.124.222.in-addr.arpa' (in '184.124.222.in-addr.arpa'?): 202.134.0.62#53
18-Apr-2009 15:17:31.135 unexpected RCODE (SERVFAIL) resolving 'dns1.datadragon.net/AAAA/IN': 211.147.6.4#53
18-Apr-2009 15:17:31.142 unexpected RCODE (SERVFAIL) resolving 'dns2.datadragon.net/AAAA/IN': 211.147.6.4#53
18-Apr-2009 15:17:31.930 unexpected RCODE (SERVFAIL) resolving 'dns1.datadragon.net/AAAA/IN': 211.147.6.4#53
18-Apr-2009 15:17:31.940 unexpected RCODE (SERVFAIL) resolving 'dns2.datadragon.net/AAAA/IN': 211.147.6.4#53
18-Apr-2009 18:48:36.119 lame server resolving 'dns.opb.interbusiness.it' (in 'opb.interbusiness.it'?): 80.22.52.133#53
18-Apr-2009 18:48:36.121 lame server resolving 'dns.opb.interbusiness.it' (in 'opb.interbusiness.it'?): 80.22.52.133#53
18-Apr-2009 19:24:22.348 lame server resolving '209.60.173.220.in-addr.arpa' (in '60.173.220.in-addr.arpa'?): 202.103.225.70#53
18-Apr-2009 19:24:22.795 lame server resolving '209.60.173.220.in-addr.arpa' (in '60.173.220.in-addr.arpa'?): 202.103.224.70#53
18-Apr-2009 19:24:34.013 lame server resolving '209.60.173.220.in-addr.arpa' (in '60.173.220.in-addr.arpa'?): 202.103.225.70#53
18-Apr-2009 19:24:34.456 lame server resolving '209.60.173.220.in-addr.arpa' (in '60.173.220.in-addr.arpa'?): 202.103.224.70#53
18-Apr-2009 20:08:10.828 lame server resolving 'mail.yenisevgili.net' (in 'yenisevgili.NET'?): 79.171.20.167#53
18-Apr-2009 20:08:11.060 lame server resolving 'mail.yenisevgili.net' (in 'yenisevgili.NET'?): 79.171.20.166#53
18-Apr-2009 23:06:22.822 lame server resolving '139.229.171.203.in-addr.arpa' (in '229.171.203.in-addr.arpa'?): 203.171.230.7#53
18-Apr-2009 23:26:09.587 lame server resolving '217.184.124.222.in-addr.arpa' (in '184.124.222.in-addr.arpa'?): 202.134.0.62#53
18-Apr-2009 23:26:09.852 lame server resolving '217.184.124.222.in-addr.arpa' (in '184.124.222.in-addr.arpa'?): 203.130.196.5#53
18-Apr-2009 23:26:20.128 lame server resolving '217.184.124.222.in-addr.arpa' (in '184.124.222.in-addr.arpa'?): 203.130.196.5#53
18-Apr-2009 23:26:20.527 lame server resolving '217.184.124.222.in-addr.arpa' (in '184.124.222.in-addr.arpa'?): 202.134.0.62#53
19-Apr-2009 02:20:43.263 lame server resolving '217.184.124.222.in-addr.arpa' (in '184.124.222.in-addr.arpa'?): 203.130.196.5#53
19-Apr-2009 02:20:43.657 lame server resolving '217.184.124.222.in-addr.arpa' (in '184.124.222.in-addr.arpa'?): 202.134.0.62#53
19-Apr-2009 02:20:53.941 lame server resolving '217.184.124.222.in-addr.arpa' (in '184.124.222.in-addr.arpa'?): 203.130.196.5#53
19-Apr-2009 02:20:54.316 lame server resolving '217.184.124.222.in-addr.arpa' (in '184.124.222.in-addr.arpa'?): 202.134.0.62#53
19-Apr-2009 04:10:42.705 lame server resolving '217.184.124.222.in-addr.arpa' (in '184.124.222.in-addr.arpa'?): 203.130.196.5#53
19-Apr-2009 04:10:43.090 lame server resolving '217.184.124.222.in-addr.arpa' (in '184.124.222.in-addr.arpa'?): 202.134.0.62#53
19-Apr-2009 04:10:53.358 lame server resolving '217.184.124.222.in-addr.arpa' (in '184.124.222.in-addr.arpa'?): 203.130.196.5#53
19-Apr-2009 04:10:53.743 lame server resolving '217.184.124.222.in-addr.arpa' (in '184.124.222.in-addr.arpa'?): 202.134.0.62#53
19-Apr-2009 04:19:30.922 lame server resolving '139.229.171.203.in-addr.arpa' (in '229.171.203.in-addr.arpa'?): 203.171.230.7#53
19-Apr-2009 05:18:02.844 lame server resolving 'mail.yenisevgili.net' (in 'yenisevgili.NET'?): 79.171.20.167#53
19-Apr-2009 05:18:03.079 lame server resolving 'mail.yenisevgili.net' (in 'yenisevgili.NET'?): 79.171.20.166#53
19-Apr-2009 10:53:35.091 lame server resolving '139.229.171.203.in-addr.arpa' (in '229.171.203.in-addr.arpa'?): 203.171.230.7#53
19-Apr-2009 11:20:03.340 unexpected RCODE (SERVFAIL) resolving '2.0-63.164.243.200.in-addr.arpa/PTR/IN': 200.255.253.241#53
19-Apr-2009 11:20:03.770 unexpected RCODE (SERVFAIL) resolving '2.0-63.164.243.200.in-addr.arpa/PTR/IN': 200.245.255.33#53
19-Apr-2009 11:20:08.453 unexpected RCODE (SERVFAIL) resolving '2.0-63.164.243.200.in-addr.arpa/PTR/IN': 200.245.255.33#53
19-Apr-2009 11:20:08.868 unexpected RCODE (SERVFAIL) resolving '2.0-63.164.243.200.in-addr.arpa/PTR/IN': 200.255.253.241#53
19-Apr-2009 11:55:06.986 unexpected RCODE (SERVFAIL) resolving '155.236.160.65.in-addr.arpa/PTR/IN': 65.160.225.8#53
22-Apr-2009 05:18:36.745 lame server resolving '62.subnet0.195.62.64.in-addr.arpa' (in 'subnet0.195.62.64.in-addr.arpa'?): 64.62.148.143#53
26-Apr-2009 22:54:22.081 unexpected RCODE (REFUSED) resolving 'ns.bta.net.cn/A/IN': 202.106.196.234#53
26-Apr-2009 22:54:22.094 unexpected RCODE (REFUSED) resolving 'ns.bta.net.cn/AAAA/IN': 202.106.196.234#53
27-Apr-2009 02:36:13.366 lame server resolving 'NS.TAILORMADESERVERS.COM' (in 'TAILORMADESERVERS.com'?): 72.9.144.3#53
27-Apr-2009 02:36:13.378 lame server resolving 'NS2.TAILORMADESERVERS.COM' (in 'TAILORMADESERVERS.com'?): 72.9.144.3#53
27-Apr-2009 02:36:13.379 lame server resolving 'NS2.TAILORMADESERVERS.COM' (in 'TAILORMADESERVERS.com'?): 72.9.144.3#53
27-Apr-2009 02:36:13.379 lame server resolving 'NS.TAILORMADESERVERS.COM' (in 'TAILORMADESERVERS.com'?): 72.9.144.3#53

Nearly all those look ups are not ones this server would make. Not sure why they are happening. Anyway, nothing was resolving until I restarted the DNS service. It's working fine now.

I had the firewall service turned on, but the "DNS responsd to outbound queries" filter was allowed (otherwise the server can't resolve look ups to non-local domains, right?). Maybe that's a hole?

Any advice or direction is much appreciated.

...Rene



Rene,

1. That looks like a normal log. It could be that the errors are e-mail going through your mail server. Are you using Postfix and spamhaus to blacklist? The /AAAA/ entries are rejected/unresolved IPv6 addresses.

2. As for your bind named.conf file, to quote Matus UHLAR:
you have probably disabled queries from the world and only allowed from your
local network. you can:

- allow queries to the zone in the zone "dieppeseinemaritime.com" statement
(allow_query)

- allow queries from the whole world to your nameserver and allow
recuesion only from your lan

- run authoritative-only nameserver on different IP that knows this zone and
has recursion disabled

I recomment the last option. For the option 2, don't forget to disable
recursion from the internet - it may cause you problems.

-Wayne

Edit: So no, probably not hacked.


Reference: http://discussions.apple.com/thread.jspa?messageID=9393940