Unbound Querys to NAUGHTY! Servers
-
Why is resolver (unbound) making DNS request to these non root servers? Furthermore they are in the Spamhaus DROP list. Glad I have outbound rules that block this nonsense. But I'd still like to know why it happens. Happened last night too, about 21 hours prior to this current episode.
185.75.56.93
185.75.56.94Resolver config:
Network Interfaces: LAN and Localhost
Outgoing Network Interfaces: WAN
DNSSEC enabled (box checked)
DNS Query Forwarding disabled (box unchecked)
Advanced:
local-zone: "home" static
log-queries: yesResolver Log:
Feb 13 20:41:03 unbound [96826:0] info: 127.0.0.1 93.56.75.185.in-addr.arpa. PTR IN Feb 13 20:41:04 unbound [96826:0] info: 127.0.0.1 93.56.75.185.in-addr.arpa. PTR IN Feb 13 20:41:09 unbound [96826:0] info: 127.0.0.1 94.56.75.185.in-addr.arpa. PTR IN Feb 13 20:41:10 unbound [96826:0] info: 127.0.0.1 94.56.75.185.in-addr.arpa. PTR INFirewall Log:
Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,31950,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.94,25248,53,62 Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,17979,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.94,54643,53,62 Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,25987,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.94,20621,53,62 Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,46573,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.94,23770,53,62 Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,11176,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.94,25372,53,62 Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,9540,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.93,24210,53,62 Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,62086,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.93,16654,53,62 Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,4144,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.93,59873,53,62 Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,6451,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.93,5702,53,62 Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,2443,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.93,43123,53,62</pfsense></pfsense></pfsense></pfsense></pfsense></pfsense></pfsense></pfsense></pfsense></pfsense> -
"Why is resolver (unbound) making DNS request to these non root servers?"
Because they are the authoritative name servers for some domain something asked for… You do understand unbound just uses roots to find the authoritative servers for the domain your looking for right - and then goes and asks them directly..
;; ANSWER SECTION:
93.56.75.185.in-addr.arpa. 86400 IN PTR ns1.maxtv-ks.netSo clearly those are the name servers for maxtv-ks.net
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;maxtv-ks.net. IN SOA;; ANSWER SECTION:
maxtv-ks.net. 86400 IN SOA maxtv-ks.net. root.maxtv-ks.net. 100 3600 60 604800 86400;; AUTHORITY SECTION:
maxtv-ks.net. 86400 IN NS ns1.maxtv-ks.net.
maxtv-ks.net. 86400 IN NS NS2.maxtv-ks.net.;; ADDITIONAL SECTION:
ns1.maxtv-ks.net. 86400 IN A 185.75.56.93
NS2.maxtv-ks.net. 86400 IN A 185.75.56.94;; Query time: 156 msec
;; SERVER: 185.75.56.93#53(185.75.56.93)
;; WHEN: Sun Feb 14 04:47:23 Central Standard Time 2016
;; MSG SIZE rcvd: 150They may be name servers for lots and lots of other domains as well... If you don't want unbound doing queries for them, then I would find out what is asking for stuff they are authoritative for..
