Unbound Querys to NAUGHTY! Servers

  • Why is resolver (unbound) making DNS request to these non root servers?  Furthermore they are in the Spamhaus DROP list.  Glad I have outbound rules that block this nonsense.  But I'd still like to know why it happens.  Happened last night too, about 21 hours prior to this current episode.

    Resolver config:
    Network Interfaces: LAN and Localhost
    Outgoing Network Interfaces: WAN
    DNSSEC enabled (box checked)
    DNS Query Forwarding disabled (box unchecked)
    local-zone: "home" static
    log-queries: yes

    Resolver Log:

    Feb 13 20:41:03 unbound  [96826:0] info: PTR IN 
    Feb 13 20:41:04 unbound  [96826:0] info: PTR IN 
    Feb 13 20:41:09 unbound  [96826:0] info: PTR IN 
    Feb 13 20:41:10 unbound  [96826:0] info: PTR IN 

    Firewall Log:

    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,31950,0,none,17,udp,82,<pfsense wan="" if="">,,25248,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,17979,0,none,17,udp,82,<pfsense wan="" if="">,,54643,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,25987,0,none,17,udp,82,<pfsense wan="" if="">,,20621,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,46573,0,none,17,udp,82,<pfsense wan="" if="">,,23770,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,11176,0,none,17,udp,82,<pfsense wan="" if="">,,25372,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,9540,0,none,17,udp,82,<pfsense wan="" if="">,,24210,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,62086,0,none,17,udp,82,<pfsense wan="" if="">,,16654,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,4144,0,none,17,udp,82,<pfsense wan="" if="">,,59873,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,6451,0,none,17,udp,82,<pfsense wan="" if="">,,5702,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,2443,0,none,17,udp,82,<pfsense wan="" if="">,,43123,53,62</pfsense></pfsense></pfsense></pfsense></pfsense></pfsense></pfsense></pfsense></pfsense></pfsense> 

  • LAYER 8 Global Moderator

    "Why is resolver (unbound) making DNS request to these non root servers?"

    Because they are the authoritative name servers for some domain something asked for…  You do understand unbound just uses roots to find the authoritative servers for the domain your looking for right - and then goes and asks them directly..

    ;; ANSWER SECTION: 86400 IN    PTR    ns1.maxtv-ks.net

    So clearly those are the name servers for maxtv-ks.net

    ; EDNS: version: 0, flags:; udp: 4096
    ;maxtv-ks.net.                  IN      SOA

    maxtv-ks.net.          86400  IN      SOA    maxtv-ks.net. root.maxtv-ks.net. 100 3600 60 604800 86400

    maxtv-ks.net.          86400  IN      NS      ns1.maxtv-ks.net.
    maxtv-ks.net.          86400  IN      NS      NS2.maxtv-ks.net.

    ns1.maxtv-ks.net.      86400  IN      A
    NS2.maxtv-ks.net.      86400  IN      A

    ;; Query time: 156 msec
    ;; SERVER:
    ;; WHEN: Sun Feb 14 04:47:23 Central Standard Time 2016
    ;; MSG SIZE  rcvd: 150

    They may be name servers for lots and lots of other domains as well...  If you don't want unbound doing queries for them, then I would find out what is asking for stuff they are authoritative for..

Log in to reply