<![CDATA[Unbound Querys to NAUGHTY! Servers]]>Why is resolver (unbound) making DNS request to these non root servers?  Furthermore they are in the Spamhaus DROP list.  Glad I have outbound rules that block this nonsense.  But I'd still like to know why it happens.  Happened last night too, about 21 hours prior to this current episode.

185.75.56.93
185.75.56.94

Resolver config:
Network Interfaces: LAN and Localhost
Outgoing Network Interfaces: WAN
DNSSEC enabled (box checked)
DNS Query Forwarding disabled (box unchecked)
Advanced:
local-zone: "home" static
log-queries: yes

Resolver Log:


Feb 13 20:41:03 unbound  [96826:0] info: 127.0.0.1 93.56.75.185.in-addr.arpa. PTR IN 
Feb 13 20:41:04 unbound  [96826:0] info: 127.0.0.1 93.56.75.185.in-addr.arpa. PTR IN 
Feb 13 20:41:09 unbound  [96826:0] info: 127.0.0.1 94.56.75.185.in-addr.arpa. PTR IN 
Feb 13 20:41:10 unbound  [96826:0] info: 127.0.0.1 94.56.75.185.in-addr.arpa. PTR IN

Firewall Log:


Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,31950,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.94,25248,53,62 
Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,17979,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.94,54643,53,62 
Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,25987,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.94,20621,53,62 
Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,46573,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.94,23770,53,62 
Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,11176,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.94,25372,53,62 
Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,9540,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.93,24210,53,62 
Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,62086,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.93,16654,53,62 
Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,4144,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.93,59873,53,62 
Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,6451,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.93,5702,53,62 
Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,2443,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.93,43123,53,62</pfsense></pfsense></pfsense></pfsense></pfsense></pfsense></pfsense></pfsense></pfsense></pfsense>
]]>https://forum.netgate.com/topic/95493/unbound-querys-to-naughty-serversRSS for NodeFri, 10 Apr 2026 08:29:39 GMTSun, 14 Feb 2016 05:47:16 GMT60<![CDATA[Reply to Unbound Querys to NAUGHTY! Servers on Sun, 14 Feb 2016 10:47:28 GMT]]>"Why is resolver (unbound) making DNS request to these non root servers?"

Because they are the authoritative name servers for some domain something asked for…  You do understand unbound just uses roots to find the authoritative servers for the domain your looking for right - and then goes and asks them directly..

;; ANSWER SECTION:
93.56.75.185.in-addr.arpa. 86400 IN    PTR    ns1.maxtv-ks.net

So clearly those are the name servers for maxtv-ks.net

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;maxtv-ks.net.                  IN      SOA

;; ANSWER SECTION:
maxtv-ks.net.          86400  IN      SOA    maxtv-ks.net. root.maxtv-ks.net. 100 3600 60 604800 86400

;; AUTHORITY SECTION:
maxtv-ks.net.          86400  IN      NS      ns1.maxtv-ks.net.
maxtv-ks.net.          86400  IN      NS      NS2.maxtv-ks.net.

;; ADDITIONAL SECTION:
ns1.maxtv-ks.net.      86400  IN      A      185.75.56.93
NS2.maxtv-ks.net.      86400  IN      A      185.75.56.94

;; Query time: 156 msec
;; SERVER: 185.75.56.93#53(185.75.56.93)
;; WHEN: Sun Feb 14 04:47:23 Central Standard Time 2016
;; MSG SIZE  rcvd: 150

They may be name servers for lots and lots of other domains as well...  If you don't want unbound doing queries for them, then I would find out what is asking for stuff they are authoritative for..

]]>https://forum.netgate.com/post/602675https://forum.netgate.com/post/602675Sun, 14 Feb 2016 10:47:28 GMT