Determining case of REFUSED queries

Lyle Giese lyle at lcrcomputer.net
Thu Oct 3 22:22:56 UTC 2024 

173.245.59.231 is a cloudflare name server.

I get this:

dig ns socialinnovation.ca

; <<>> DiG 9.16.50-Debian <<>> ns socialinnovation.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29081
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bc6332beb03bea8e0100000066ff17e01aa70cbb6939d99f (good)
;; QUESTION SECTION:
;socialinnovation.ca.           IN      NS

;; ANSWER SECTION:
socialinnovation.ca.    3600    IN      NS      dns.rebel.ca.
socialinnovation.ca.    3600    IN      NS      sean.ns.cloudflare.com.
socialinnovation.ca.    3600    IN      NS      kami.ns.cloudflare.com.
socialinnovation.ca.    3600    IN      NS      dns2.rebel.ca.

;; ADDITIONAL SECTION:
dns.rebel.ca.           86400   IN      A       52.3.166.104
dns2.rebel.ca.          86400   IN      A       52.10.144.165
sean.ns.cloudflare.com. 54981   IN      A       108.162.193.231
sean.ns.cloudflare.com. 54981   IN      A       172.64.33.231
sean.ns.cloudflare.com. 54981   IN      A       173.245.59.231
sean.ns.cloudflare.com. 54981   IN      AAAA    2606:4700:58::adf5:3be7
sean.ns.cloudflare.com. 54981   IN      AAAA    2803:f800:50::6ca2:c1e7
sean.ns.cloudflare.com. 54981   IN      AAAA    2a06:98c1:50::ac40:21e7

;; Query time: 156 msec
;; SERVER: 192.168.250.1#53(192.168.250.1)
;; WHEN: Thu Oct 03 17:17:04 CDT 2024
;; MSG SIZE  rcvd: 340

But a whois query for this domain only lists dns.rebel.ca and 
dns2.rebel.ca for name servers.

Wonder if the cloudflare server are not getting a good axfr from the 
rebel.ca servers or something else is wrong.

Lyle Giese


On 10/3/24 16:31, J Doe wrote:
> On 2024-09-19 19:17, Mark Andrews wrote:
>> I think the reason for the REFUSED is pretty obvious
>>
>> % dig +norec google._domainkey.socialinnovation.ca @173.245.59.231 txt
>>
>> ; <<>> DiG 9.21.0-dev <<>> +norec 
>> google._domainkey.socialinnovation.ca @173.245.59.231 txt
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 10815
>> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 512
>> ; EDE: 20 (Not Authoritative)
>> ;; QUESTION SECTION:
>> ;google._domainkey.socialinnovation.ca. IN TXT
>>
>> ;; Query time: 14 msec
>> ;; SERVER: 173.245.59.231#53(173.245.59.231) (UDP)
>> ;; WHEN: Fri Sep 20 09:03:48 AEST 2024
>> ;; MSG SIZE  rcvd: 72
>>
>> %
>>
>> Now you just need to work out why you where asking 173.245.59.231
>> rather than the actual nameservers for socialinnovation.ca.
>>
>> socialinnovation.ca. 86400 IN NS dns.rebel.ca.
>> socialinnovation.ca. 86400 IN NS dns2.rebel.ca.
>> dns2.rebel.ca. 86400 IN A 52.10.144.165
>> dns.rebel.ca. 86400 IN A 52.3.166.104
>
>
> Hi Mark,
>
> Interesting!
>
> The only thing I can think of that may be causing this issue is that
> this e-mail server makes use of SpamAssassin 4.0.0, which would be doing
> lookups for DKIM, DMARC.
>
> Has anyone noticed anything similar ?  It only seems to happen with the
> socialinnovation.ca domain.
>
> Thanks,
>
> - J
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241003/b906a31a/attachment.htm>

More information about the bind-users mailing list