Getting "query failed (REFUSED) for ./IN/ANY"

John Kristoff jtk at
Wed Jan 13 13:31:58 UTC 2021

On Wed, 13 Jan 2021 10:21:19 +0100
Alessandro Vesely <vesely at> wrote:

> Yesterday I got 42639 of those, from 41 different IPs, the most frequent clients looking like so:
> 821-north:~$ sed -rn 's/^.{15} 30 north named[^:]*: client @0x[0-91-f]* ([0-9.]*)#[0-9]* ...: view external: query failed .REFUSED. for ..IN.ANY at .........bin.named.query.c:7144/\1/p' < /var/log/daemon.log.0 |sort |uniq -c |sort -rn |head
>     4957
>     2914
>     2868
>     2783
>     2440
>     2273
>     2032
>     1814
>     1785
>     1756

Through a side project I report on IN ANY queries and have seen all of
those addresses and more as you can examine here:


Some may be sourced from a security/research survey project, but some
sources performing this may be for more nefarious purposes - building a
list of open resolvers that will answer for the purposes of maintaining
an amplication/reflection hit list.

Unfortunately there are many open resolvers that answer, but perhaps
except for a name you are authoritative for, responding with a REFUSED
response is generally considered reasonable and appropriate.


More information about the bind-users mailing list