query on non-query socket

[Jim Reid]

>>>>> "Markus" == Markus Stumpf <maex-bind-users at Space.Net> writes:

    Markus> For about three or four weeks I accasionally see messages
    Markus> like these (dates GMT+2):

    Markus> 28-Jul-1999 14:31:31.230 security: notice: refused query on non-query socket from [192.86.99.28].53 

    Markus> While these mostly come from the server above
    Markus> (wbweb4.worldbank.org) I've also seen some from other
    Markus> IPs. Except for one day when I had a few hundred within a
    Markus> few seconds, I'm seeing about 3 oder 4 of them a day,
    Markus> sometimes even none for 2 oder 3 days.

    Markus> This only happens on one (ns.space.net) of the three DNS
    Markus> servers we use in NS records on all our domains. I'm still
    Markus> running bind-8.1.2 (for more than one year now, never seen
    Markus> these in all the month before).

    Markus> Is this due to a broken resolver? 

Maybe. There's no name server running on 192.86.99.28 - at least not
now. However the queries used source port 53, which suggests the host
used to have a name server running and it was that which sent the
queries.

    Markus> Is this kind of an attack?

I doubt it, but the possibility shouldn't be ruled out. A more likely
explanation is that there are some stale NS or A records for your name
server lurking in the DNS somewhere. [Sorry to be so vague. What
domains were associated with the IP address of your name server?] Try
enabling query logging to see what these unwanted queries are for. [I
hope named logs 'em before it screams about the "non-query socket"...]
This should help to identify the zone(s) that might have that stale
data. You could also try asking the sysadmins of the sites that are
sending those requests. They should be able to tell you what names
they are looking up and why they're sending those (unwanted) queries
to your name server.