Multiple SERVFAIL/REFUSED unexpected RCODE
barmar at alum.mit.edu
Tue May 3 14:08:44 UTC 2016
In article <mailman.701.1462281968.73610.bind-users at lists.isc.org>,
Mik J <mikydevel at yahoo.fr> wrote:
> Hello Mark,
> Thank you for your answer. I'm not sure I've understood everything but I'll
> read it numerous times if necessary.I have ACLs so I'm not surprised to see
> these REFUSED, I also understand the SERVFAIL meaning.
Your ACL is not relevant. The REFUSED response is coming from the server
the reverse zone is delegated to.
> I'm just trying to figure out where the problem comes from.You seem to point
> out a device which should be on my network and who queries a PTR (something
> like a mail server which want to check the domain of the user who sent the
The problem comes from bad reverse DNS delegations of remote addresses.
Unfortunately, this has always been very common.
> What I didn't understand is"You could use whois to try to contact the
> administrators of these zones to correct the servers or remove the
> delegations."You mean this one "x.204.99.116.in-addr.arpa" which appeared in
> my logs ?
whois -h whois.apnic.net 188.8.131.52
role: VIETEL IPADMIN GROUP
address: 1 Tran Huu Duc, My Dinh, Tu Liem, Hanoi
e-mail: tiennd at viettel.com.vn
remarks: send spam and abuse report to tiennd at viettel.com.vn
role: Administrative Contact for ProXad
address: Free SAS / ProXad
address: 8, rue de la Ville L'Eveque
address: 75008 Paris
phone: +33 1 73 50 20 00
fax-no: +33 1 73 92 25 69
remarks: trouble: Information: http://www.proxad.net/
remarks: trouble: Spam/Abuse requests:
mailto:abuse at proxad.net
abuse-mailbox: abuse at proxad.net
source: RIPE # Filtered
> Le Mardi 3 mai 2016 13h30, Mark Andrews <marka at isc.org> a Ã©crit :
> In message <353379836.10168122.1462272936427.JavaMail.yahoo at mail.yahoo.com>,
> k J writes:
> > Hello,
> > In my named.log I can see a lot of SERVFAIL/REFUSED unexpected RCODE
> > messages. Most of the time someone tries to resolve a PTR
> > I can see an average of 10 messages per second like these
> > MayÂ 3 10:46:26 dns named: REFUSED unexpected RCODE resolving
> > 'x.204.99.116.in-addr.arpa/PTR/IN': 203.113.131.x#53
> > MayÂ 3 10:46:26 dns named: SERVFAIL unexpected RCODE resolving
> > 'x.16.165.88.in-addr.arpa/PTR/IN': 193.0.9.x#53
> > The PTR records don't belong to me and the remote DNS servers are located
> > around the world.
> > Does anyone has an understanding of why I receive these type of requests
> > ? Why do they query my DNS servers ?
> > Thank you
> Something on your network is trying to convert 116.00.204.x and
> 88.165.16.x addresses to names, presumably because they are seeing
> traffic from those addresses.Â In both cases there appears to be
> broken delegations involved.
> REFUSED usually means that the server is not configured for the
> SERVFAIL usually means that the server is configured for the zone
> but doesn't have a current copy.
> You could use whois to try to contact the administrators of these
> zones to correct the servers or remove the delegations.
More information about the bind-users