What does “error (unexpected RCODE REFUSED)” mean?

If you’re seeing this in the /var/log/syslog on your BIND DNS server:

Jul 14 00:56:13 kla-dns-01 named[8255]: error (unexpected RCODE REFUSED) resolving '75.1.33.112.in-addr.arpa/PTR/IN': 211.136.17.105#53

..it means that a client has asked your server to look up a domain name that your server didn’t know about, and when it forwarded the request to it’s forwarders, the remote DNS server refused to respond. A packet trace on your DNS server shows exactly what’s happening:

root@dns1:/# tcpdump -n -s 1514 -v 'port 53'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
00:56:09.686771 IP (tos 0x0, ttl 62, id 44942, offset 0, flags [DF], proto UDP (17), length 70)
    10.5.11.101.42237 > 10.0.10.10.53: 17985+ PTR? 75.1.33.112.in-addr.arpa. (42)

^… One of your clients sends a request to your DNS server asking for the reverse-IP request (a “PTR” request) for the domain-name corresponding to IP address 112.33.1.75 (expressed in reverse as “75.1.33.112.in-addr.arpa.”)

00:56:09.687284 IP (tos 0x0, ttl 64, id 28584, offset 0, flags [none], proto UDP (17), length 81)
    10.0.10.10.6374 > 10.0.0.2.53: 26305+% [1au] PTR? 75.1.33.112.in-addr.arpa. (53)

^… The DNS server forwards the reverse-IP request to it’s “upstream” forwarder DNS server, 10.0.0.2.

00:56:12.218438 IP (tos 0x0, ttl 64, id 39251, offset 0, flags [none], proto UDP (17), length 81)
    10.0.10.10.27738 > 211.136.20.201.53: 63185% [1au] PTR? 75.1.33.112.in-addr.arpa. (53)

^… After 3 seconds without a reply, the server sends the request to it’s next forwarder, 211.136.20.201.

00:56:13.018706 IP (tos 0x0, ttl 64, id 34335, offset 0, flags [none], proto UDP (17), length 81)
    10.0.10.10.37801 > 211.136.17.105.53: 55483% [1au] PTR? 75.1.33.112.in-addr.arpa. (53)

^… 800ms later, the server repeats the request to it’s forwarder, 211.136.17.105.

00:56:13.251686 IP (tos 0x4, ttl 53, id 48502, offset 0, flags [none], proto UDP (17), length 81)
    211.136.17.105.53 > 10.0.10.10.37801: 55483 Refused- 0/0/1 (53)

^ … The “upstream” forwarder DNS responds with the answer it received, REFUSED! Your DNS server then logs this rejection to syslog:

Jul 14 00:56:13 kla-dns-01 named[8255]: error (unexpected RCODE REFUSED) resolving '75.1.33.112.in-addr.arpa/PTR/IN': 211.136.17.105#53

^… The log says that your server received a response code of “REFUSED” when it was trying to ask upstream DNS server 211.136.17.105 for the PTR record “75.1.33.112.in-addr.arpa”.

If you’re seeing a lot of these, this may be a “harmless” message indicating that the DNS server is being asked (over and over again) to reverse-resolve the unknown remote server that’s been trying to contact your client (10.5.11.101 in this example).

Indeed, if we check /var/log/auth.log on the client that’s been sending the DNS request, we can see that a remote server has been trying repeatedly to exploit an old SSH bug, and the client machine has been trying to reverse-resolve that remote server, in order to know it’s name:

Jul 14 00:56:19 kla-splunk-01 sshd[29635]: Received disconnect from 112.33.1.75: 11: Bye Bye [preauth]
Jul 14 00:56:20 kla-splunk-01 sshd[29637]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Reddit
  • StumbleUpon

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *