Multiple SERVFAIL/REFUSED unexpected RCODE

Barry Margolin barmar at
Tue May 3 14:08:44 UTC 2016

In article <mailman.701.1462281968.73610.bind-users at>,
 Mik J <mikydevel at> wrote:

> Hello Mark,
> Thank you for your answer. I'm not sure I've understood everything but I'll 
> read it numerous times if necessary.I have ACLs so I'm not surprised to see 
> these REFUSED, I also understand the SERVFAIL meaning.

Your ACL is not relevant. The REFUSED response is coming from the server 
the reverse zone is delegated to.

> I'm just trying to figure out where the problem comes from.You seem to point 
> out a device which should be on my network and who queries a PTR (something 
> like a mail server which want to check the domain of the user who sent the 
> email)

The problem comes from bad reverse DNS delegations of remote addresses. 
Unfortunately, this has always been very common.

> What I didn't understand is"You could use whois to try to contact the 
> administrators of these zones to correct the servers or remove the 
> delegations."You mean this one "" which appeared in 
> my logs ?
> Regards 

whois -h

role:           VIETEL IPADMIN GROUP
address:        1 Tran Huu Duc, My Dinh, Tu Liem, Hanoi
country:        VN
phone:          +84-9-83000456
fax-no:         +84-4-38460486
e-mail:         tiennd at
remarks:        send spam and abuse report to tiennd at


role:           Administrative Contact for ProXad
address:        Free SAS / ProXad
address:        8, rue de la Ville L'Eveque
address:        75008 Paris
phone:          +33 1 73 50 20 00
fax-no:         +33 1 73 92 25 69
remarks:        trouble:      Information:
remarks:        trouble:      Spam/Abuse requests: 
mailto:abuse at
admin-c:        APfP1-RIPE
tech-c:         TPfP1-RIPE
nic-hdl:        ACP23-RIPE
mnt-by:         PROXAD-MNT
abuse-mailbox:  abuse at
created:        2002-06-26T12:46:56Z
last-modified:  2013-08-01T12:16:00Z
source:         RIPE # Filtered

>     Le Mardi 3 mai 2016 13h30, Mark Andrews <marka at> a écrit :
> In message < at>, 
> Mi
> k J writes:
> >
> > Hello,
> > In my named.log I can see a lot of SERVFAIL/REFUSED unexpected RCODE
> > messages. Most of the time someone tries to resolve a PTR
> > I can see an average of 10 messages per second like these
> > May  3 10:46:26 dns named[7228]: REFUSED unexpected RCODE resolving
> > '': 203.113.131.x#53
> > May  3 10:46:26 dns named[7228]: SERVFAIL unexpected RCODE resolving
> > '': 193.0.9.x#53
> >
> > The PTR records don't belong to me and the remote DNS servers are located
> > around the world.
> > Does anyone has an understanding of why I receive these type of requests
> > ? Why do they query my DNS servers ?
> > Thank you
> Something on your network is trying to convert 116.00.204.x and
> 88.165.16.x addresses to names, presumably because they are seeing
> traffic from those addresses.  In both cases there appears to be
> broken delegations involved.
> REFUSED usually means that the server is not configured for the
> zone.
> SERVFAIL usually means that the server is configured for the zone
> but doesn't have a current copy.
> You could use whois to try to contact the administrators of these
> zones to correct the servers or remove the delegations.
> Mark

Barry Margolin
Arlington, MA

More information about the bind-users mailing list