When this message happens name service times out.

Jim Reid jim at rfc1035.com
Tue May 9 18:29:38 UTC 2000 

>>>>> "Barry" == Barry Margolin <barmar at genuity.net> writes:

    Mark> May 9 07:50:20 ns4 named[22455]: refused query on non-query socket from [134.253.93.44].2072
    Mark> May 9 07:50:20 ns4 named[22455]: refused query on non-query socket from [134.253.22.3].53
    >> 
    >> These messages should be self-explanatory. A query with source
    >> IP address 134.253.22.3 and port number 53 - presumably a name
    >> server? - was sent to a socket that your name server didn't
    >> expect to get queries on.

    Barry> Actually, they're not quite so "self-explanatory".

Well they're good enough. The name server is saying "I got an
unsolicited packet that I think might be a query on a socket that I
didn't expect to receive such things". The error message seems a
reasonable enough summary of that, at least to me.

    Barry> When this message is produced, named hasn't actually checked
    Barry> that the message is a real query.  What it really means is
    Barry> "A message that doesn't have the 'Query Reply' flag set was
    Barry> received on the random port that is used for replies to
    Barry> recursive queries."  The wording of the message is based on
    Barry> the assumption that a message to a DNS server is either a
    Barry> query or a reply, and if the QR flag isn't set it must be a
    Barry> query; but it could be total garbage (there's a 50% chance
    Barry> that a packet with random data will not have the QR flag
    Barry> set).

True but even if it's random data, that doesn't excuse those systems
from sending packets to a non-standard port that the name server is
trying to keep to itself. It's quite reasonable for the name server to
complain about getting such traffic. And it should be a valid
assumption that any messages sent to a DNS server are either queries
or replies: what other protocols and network services is a name server
expected to support? If something throws an NFS packet (say) at the
name server, it'll treat that packet as a query or reply depending on
the status of the QR bit. Even if those packets were not queries and
just happened to have the QR flag reset, it still doesn't detract from
the basic message. Those systems are sending stuff to a port that the
name server doesn't expect to receive unsolicited packets. The big
question is why those hosts are doing that.

Oh, and I did suggest in my previous post that these errant packets
might be caused by a port scan and therefore by implication they might
not contain DNS data.

More information about the bind-users mailing list