Getting "query failed (REFUSED) for ./IN/ANY"

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed Jan 13 10:03:01 UTC 2021 

On 13.01.21 10:21, Alessandro Vesely wrote:
>I'm getting lots of log lines like the following:
>
>Jan 12 04:35:18 30 north named[22233]: client @0x7fe0fc2a3b80 74.74.74.8#24048 (.): view external: query failed (REFUSED) for ./IN/ANY at ../../../bin/named/query.c:7144
>Jan 12 04:35:18 30 north named[22233]: client @0x7fe0fc2784d0 74.74.74.8#24048 (.): view external: query failed (REFUSED) for ./IN/ANY at ../../../bin/named/query.c:7144
>Jan 12 04:35:27 30 north named[22233]: client @0x7fe0fc2953f0 74.74.74.8#57620 (.): view external: query failed (REFUSED) for ./IN/ANY at ../../../bin/named/query.c:7144
>
>Is that meant to be a DoS attack?

most probably.

>Yesterday I got 42639 of those, from 41 different IPs, the most frequent clients looking like so:
>821-north:~$ sed -rn 's/^.{15} 30 north named[^:]*: client @0x[0-91-f]* ([0-9.]*)#[0-9]* ...: view external: query failed .REFUSED. for ..IN.ANY at .........bin.named.query.c:7144/\1/p' < /var/log/daemon.log.0 |sort |uniq -c |sort -rn |head
>   4957 68.42.225.19
>   2914 73.73.73.73
>   2868 24.21.125.251
>   2783 193.70.81.112
>   2440 73.73.3.73
>   2273 101.71.138.9
>   2032 74.74.74.8
>   1814 98.25.235.45
>   1785 209.94.134.20
>   1756 73.109.143.81
>
>I looked up some of these on AbuseIPDB, and I see there are a few people
> reporting them for the same DDoS.

can be ddos attempt on those IPs. 

>Are the queries refused because of the dot (.)?  In the query log, I also
> found some 28 IN ANY queries from 7 IPs for xxx.at.fragolina.it, which
> probably got away with a NXDOMAIN.

no. the dot is just the root domain.

>This morning, queries for IN ANY are filling up a 63% of total queries. 
> Named seems to be pretty quick at discarding them.  I'm wondering whether
> it takes more resources to track and firewall those IPs or just ignore
> them.

fail2ban should help not to see those messages

>I'd be also curious of what they are after.  Is there a protest against RFC
> 8482?  It looks pretty nonsensical.  Any insight?

often, nameservers respond with list of delegations for this query:

% dig +noall +stats -t any . @localhost
;; Query time: 17 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 13 11:01:08 CET 2021
;; MSG SIZE  rcvd: 2272

this way, server will respond with >2KB packet which may flood the
destination IP.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.
% dig +noall +stats -t any . @localhost

More information about the bind-users mailing list