Getting "query failed (REFUSED) for ./IN/ANY"
Alessandro Vesely
vesely at tana.it
Wed Jan 13 10:56:52 UTC 2021
On Wed 13/Jan/2021 11:03:01 +0100 Matus UHLAR - fantomas wrote:
> On 13.01.21 10:21, Alessandro Vesely wrote:
>> Are the queries refused because of the dot (.)? In the query log, I also
>> found some 28 IN ANY queries from 7 IPs for xxx.at.fragolina.it, which
>> probably got away with a NXDOMAIN.
>
> no. the dot is just the root domain.
I see.
>> This morning, queries for IN ANY are filling up a 63% of total queries. Named
>> seems to be pretty quick at discarding them. I'm wondering whether
>> it takes more resources to track and firewall those IPs or just ignore
>> them.
>
> fail2ban should help not to see those messages
Ditto for grep -v :-)
I use a sort of fail2ban-lite, but hadn't bothered to firewall UDP. Indeed, if the intent is an amplification attack, the IPs I'd find are those of the victims, not the attackers.
>> I'd be also curious of what they are after. Is there a protest against RFC
>> 8482? It looks pretty nonsensical. Any insight?
>
> often, nameservers respond with list of delegations for this query:
>
> % dig +noall +stats -t any . @localhost
> ;; Query time: 17 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Jan 13 11:01:08 CET 2021
> ;; MSG SIZE rcvd: 2272
>
> this way, server will respond with >2KB packet which may flood the
> destination IP.
Aha, thanks for the tip! That may make sense, except that the server won't amplify:
; <<>> DiG 9.16.1-Ubuntu <<>> @north.tana.it . any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 29022
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ee8e36f499f24056c063244b5ffece98904d8e19b39c94a8 (good)
;; QUESTION SECTION:
;. IN ANY
;; Query time: 287 msec
;; SERVER: 62.94.243.227#53(62.94.243.227)
;; WHEN: mer gen 13 11:42:32 CET 2021
;; MSG SIZE rcvd: 56
Best
Ale
--
More information about the bind-users
mailing list