Getting "query failed (REFUSED) for ./IN/ANY"

[Alessandro Vesely]

Hi,

I'm getting lots of log lines like the following:

Jan 12 04:35:18 30 north named[22233]: client @0x7fe0fc2a3b80 74.74.74.8#24048 (.): view external: query failed (REFUSED) for ./IN/ANY at ../../../bin/named/query.c:7144
Jan 12 04:35:18 30 north named[22233]: client @0x7fe0fc2784d0 74.74.74.8#24048 (.): view external: query failed (REFUSED) for ./IN/ANY at ../../../bin/named/query.c:7144
Jan 12 04:35:27 30 north named[22233]: client @0x7fe0fc2953f0 74.74.74.8#57620 (.): view external: query failed (REFUSED) for ./IN/ANY at ../../../bin/named/query.c:7144

Is that meant to be a DoS attack?

Yesterday I got 42639 of those, from 41 different IPs, the most frequent clients looking like so:
821-north:~$ sed -rn 's/^.{15} 30 north named[^:]*: client @0x[0-91-f]* ([0-9.]*)#[0-9]* ...: view external: query failed .REFUSED. for ..IN.ANY at .........bin.named.query.c:7144/\1/p' < /var/log/daemon.log.0 |sort |uniq -c |sort -rn |head
    4957 68.42.225.19
    2914 73.73.73.73
    2868 24.21.125.251
    2783 193.70.81.112
    2440 73.73.3.73
    2273 101.71.138.9
    2032 74.74.74.8
    1814 98.25.235.45
    1785 209.94.134.20
    1756 73.109.143.81

I looked up some of these on AbuseIPDB, and I see there are a few people reporting them for the same DDoS.

Are the queries refused because of the dot (.)?  In the query log, I also found some 28 IN ANY queries from 7 IPs for xxx.at.fragolina.it, which probably got away with a NXDOMAIN.

This morning, queries for IN ANY are filling up a 63% of total queries.  Named seems to be pretty quick at discarding them.  I'm wondering whether it takes more resources to track and firewall those IPs or just ignore them.

I'd be also curious of what they are after.  Is there a protest against RFC 8482?  It looks pretty nonsensical.  Any insight?


Best
Ale
--