Unbound Querys to NAUGHTY! Servers



  • Why is resolver (unbound) making DNS request to these non root servers?  Furthermore they are in the Spamhaus DROP list.  Glad I have outbound rules that block this nonsense.  But I'd still like to know why it happens.  Happened last night too, about 21 hours prior to this current episode.

    185.75.56.93
    185.75.56.94

    Resolver config:
    Network Interfaces: LAN and Localhost
    Outgoing Network Interfaces: WAN
    DNSSEC enabled (box checked)
    DNS Query Forwarding disabled (box unchecked)
    Advanced:
    local-zone: "home" static
    log-queries: yes

    Resolver Log:

    
    Feb 13 20:41:03 unbound  [96826:0] info: 127.0.0.1 93.56.75.185.in-addr.arpa. PTR IN 
    Feb 13 20:41:04 unbound  [96826:0] info: 127.0.0.1 93.56.75.185.in-addr.arpa. PTR IN 
    Feb 13 20:41:09 unbound  [96826:0] info: 127.0.0.1 94.56.75.185.in-addr.arpa. PTR IN 
    Feb 13 20:41:10 unbound  [96826:0] info: 127.0.0.1 94.56.75.185.in-addr.arpa. PTR IN 
    
    

    Firewall Log:

    
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,31950,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.94,25248,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,17979,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.94,54643,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,25987,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.94,20621,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,46573,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.94,23770,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,11176,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.94,25372,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,9540,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.93,24210,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,62086,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.93,16654,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,4144,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.93,59873,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,6451,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.93,5702,53,62 
    Feb 13 20:41:10 filterlog: 86,16777216,,1435562678,bfe0_vlan99,match,block,out,4,0x0,,64,2443,0,none,17,udp,82,<pfsense wan="" if="">,185.75.56.93,43123,53,62</pfsense></pfsense></pfsense></pfsense></pfsense></pfsense></pfsense></pfsense></pfsense></pfsense> 
    

  • LAYER 8 Global Moderator

    "Why is resolver (unbound) making DNS request to these non root servers?"

    Because they are the authoritative name servers for some domain something asked for…  You do understand unbound just uses roots to find the authoritative servers for the domain your looking for right - and then goes and asks them directly..

    ;; ANSWER SECTION:
    93.56.75.185.in-addr.arpa. 86400 IN    PTR    ns1.maxtv-ks.net

    So clearly those are the name servers for maxtv-ks.net

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;maxtv-ks.net.                  IN      SOA

    ;; ANSWER SECTION:
    maxtv-ks.net.          86400  IN      SOA    maxtv-ks.net. root.maxtv-ks.net. 100 3600 60 604800 86400

    ;; AUTHORITY SECTION:
    maxtv-ks.net.          86400  IN      NS      ns1.maxtv-ks.net.
    maxtv-ks.net.          86400  IN      NS      NS2.maxtv-ks.net.

    ;; ADDITIONAL SECTION:
    ns1.maxtv-ks.net.      86400  IN      A      185.75.56.93
    NS2.maxtv-ks.net.      86400  IN      A      185.75.56.94

    ;; Query time: 156 msec
    ;; SERVER: 185.75.56.93#53(185.75.56.93)
    ;; WHEN: Sun Feb 14 04:47:23 Central Standard Time 2016
    ;; MSG SIZE  rcvd: 150

    They may be name servers for lots and lots of other domains as well...  If you don't want unbound doing queries for them, then I would find out what is asking for stuff they are authoritative for..


Log in to reply