What does “error (unexpected RCODE REFUSED)” mean?

If you’re seeing this in the /var/log/syslog on your BIND DNS server:

Jul 14 00:56:13 kla-dns-01 named[8255]: error (unexpected RCODE REFUSED) resolving '':

..it means that a client has asked your server to look up a domain name that your server didn’t know about, and when it forwarded the request to it’s forwarders, the remote DNS server refused to respond. A packet trace on your DNS server shows exactly what’s happening:

root@dns1:/# tcpdump -n -s 1514 -v 'port 53'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
00:56:09.686771 IP (tos 0x0, ttl 62, id 44942, offset 0, flags [DF], proto UDP (17), length 70) > 17985+ PTR? (42)

^… One of your clients sends a request to your DNS server asking for the reverse-IP request (a “PTR” request) for the domain-name corresponding to IP address (expressed in reverse as “”)

00:56:09.687284 IP (tos 0x0, ttl 64, id 28584, offset 0, flags [none], proto UDP (17), length 81) > 26305+% [1au] PTR? (53)

^… The DNS server forwards the reverse-IP request to it’s “upstream” forwarder DNS server,

00:56:12.218438 IP (tos 0x0, ttl 64, id 39251, offset 0, flags [none], proto UDP (17), length 81) > 63185% [1au] PTR? (53)

^… After 3 seconds without a reply, the server sends the request to it’s next forwarder,

00:56:13.018706 IP (tos 0x0, ttl 64, id 34335, offset 0, flags [none], proto UDP (17), length 81) > 55483% [1au] PTR? (53)

^… 800ms later, the server repeats the request to it’s forwarder,

00:56:13.251686 IP (tos 0x4, ttl 53, id 48502, offset 0, flags [none], proto UDP (17), length 81) > 55483 Refused- 0/0/1 (53)

^ … The “upstream” forwarder DNS responds with the answer it received, REFUSED! Your DNS server then logs this rejection to syslog:

Jul 14 00:56:13 kla-dns-01 named[8255]: error (unexpected RCODE REFUSED) resolving '':

^… The log says that your server received a response code of “REFUSED” when it was trying to ask upstream DNS server for the PTR record “”.

If you’re seeing a lot of these, this may be a “harmless” message indicating that the DNS server is being asked (over and over again) to reverse-resolve the unknown remote server that’s been trying to contact your client ( in this example).

Indeed, if we check /var/log/auth.log on the client that’s been sending the DNS request, we can see that a remote server has been trying repeatedly to exploit an old SSH bug, and the client machine has been trying to reverse-resolve that remote server, in order to know it’s name:

Jul 14 00:56:19 kla-splunk-01 sshd[29635]: Received disconnect from 11: Bye Bye [preauth]
Jul 14 00:56:20 kla-splunk-01 sshd[29637]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Reddit
  • StumbleUpon

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *