Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Senior Member
Join Date: Apr 2009
Location: Northern Delaware
Posts: 250
#1 (permalink)  
Old 07-04-2012, 07:17 PM
Question unexpected RCODE (REFUSED) resolving

All-

I upgraded from 8.102 to UTM 9.0 latest soft release. When I reviewed the DNS log this morning, the log was very full with the following Rcode entries:


2012:07:04-15:02:05 s_local_asl@OASIS named: Last message 'unexpected RCODE (RE' repeated 1 times, supressed by syslog-ng on OASIS
2012:07:04-15:02:05 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '158.152.57.108.in-addr.arpa/PTR/IN': 71.252.0.72#53
2012:07:04-15:02:05 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '158.152.57.108.in-addr.arpa/PTR/IN': 68.238.96.72#53
2012:07:04-15:02:05 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '158.152.57.108.in-addr.arpa/PTR/IN': 151.203.0.87#53
2012:07:04-15:02:05 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '120.53.194.173.in-addr.arpa/PTR/IN': 216.239.38.10#53
2012:07:04-15:02:05 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '120.53.194.173.in-addr.arpa/PTR/IN': 216.239.34.10#53
2012:07:04-15:02:05 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '120.53.194.173.in-addr.arpa/PTR/IN': 216.239.32.10#53
2012:07:04-15:02:05 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '120.53.194.173.in-addr.arpa/PTR/IN': 216.239.36.10#53
2012:07:04-15:02:06 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '120.53.194.173.in-addr.arpa/PTR/IN': 216.239.34.10#53
2012:07:04-15:02:06 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '120.53.194.173.in-addr.arpa/PTR/IN': 216.239.32.10#53
2012:07:04-15:02:06 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '120.53.194.173.in-addr.arpa/PTR/IN': 216.239.36.10#53
2012:07:04-15:02:06 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '120.53.194.173.in-addr.arpa/PTR/IN': 216.239.38.10#53
2012:07:04-15:02:06 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '21.53.194.173.in-addr.arpa/PTR/IN': 216.239.34.10#53
2012:07:04-15:02:06 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '21.53.194.173.in-addr.arpa/PTR/IN': 216.239.36.10#53
2012:07:04-15:02:06 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '21.53.194.173.in-addr.arpa/PTR/IN': 216.239.32.10#53
2012:07:04-15:02:06 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '21.53.194.173.in-addr.arpa/PTR/IN': 216.239.38.10#53
2012:07:04-15:02:06 s_local_asl@OASIS named: Last message 'unexpected RCODE (RE' repeated 1 times, supressed by syslog-ng on OASIS
2012:07:04-15:02:06 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '21.53.194.173.in-addr.arpa/PTR/IN': 216.239.32.10#53
2012:07:04-15:02:06 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '21.53.194.173.in-addr.arpa/PTR/IN': 216.239.36.10#53
2012:07:04-15:02:06 OASIS named[4115]: unexpected RCODE (REFUSED) resolving '21.53.194.173.in-addr.arpa/PTR/IN': 216.239.34.10#53

The noted entries are from this afternoon. However they have been going on since last night. Everything on the network was down over night except the ASG. I am not able to find a LAN based source causing this. Can someone please provide some direction? Outside of this UTM 9 works very nicely, a job well done! I seems very odd this would be coming from the ASG, but I believe it is possible. The 173. ***.***.*** addresses are google, and there are some 108.***.***.*** that belong to verizon. Thanks in advance for any help provided!

Regards,
Jim
Reply With Quote
Moderator
Join Date: Jul 2001
Location: southern California
Posts: 12,063
#2 (permalink)  
Old 07-05-2012, 08:00 PM
Default

Hi, there's another thread about this; in that case it turned out to be a wrong MTU setting:

http://www.astaro.org/gateway-produc...e-refused.html

Another likely possibility is that it's caused by spammers; are you using the SMTP proxy?

Barry
__________________
http://BlogSec.net
http://JobOyster.com
http://DealBert.net
IT Consultant specializing in high-performance Web Infrastructure and Security.
Astaro End-user since v1.x
  • ASL 9.2x, HP DL360G5 - FW, IPS, VPNs
  • ASL 9.2x, 2 Dell 1950's as WAF/proxy w HA
  • UTM 9.1x, Atom n270, 2GB RAM, 2 Intel GigE
    Netgear GS108T gigE switch & Astaro AP30 Access Point with 4 VLANs.
    60/60mbit FiOS internet.
  • Pending - UTM 9.2x, i5-4670, 4GB RAM, 2 Intel GigE
    Needs new NIC drivers before deploying

Last edited by BAlfson; 10-13-2012 at 06:05 PM. Reason: Changed link to adjust for new forum directory name.
Reply With Quote
Senior Member
Join Date: Apr 2009
Location: Northern Delaware
Posts: 250
#3 (permalink)  
Old 07-05-2012, 11:15 PM
Question unexpected RCODE (REFUSED) resolving

Hi Barry,

Thanks for responding. I am not using SMTP. The DNS proxy log is full of entries like this from the last 24 hours. While I don't think this could be a result of the action tech router for the FIOS cable boxes I will turn it off over night leaving the ASG running with the remainder of the network down. Yesterday I did some research on "unexpected RCODE (REFUSED) resolving" and discovered it could be MTU related. The MTU has been chnged to 1492 and the issue still exists. Secondly again research based this may be a bug in Bind or the Linux kernel. Most of the reaserch points to a DNS Bind issue. The odd thing is attempting to figure out what is generating a connection to google servers.... Fingers are pointed at the ASG, but that does not fully add up.... Hopefully you have some good advice. Once I changed the MTU an increased performance was apparent when resolving web pages that have not been cached by FIOS proxy server. Right now I am getting 84 mbps down consistantly. UTM 9 rocks!

Regards,
Jim
Reply With Quote
Moderator
Join Date: Jul 2001
Location: southern California
Posts: 12,063
#4 (permalink)  
Old 07-06-2012, 06:15 PM
Default

Hi, if you're on FioS, the default MTU should be fine.

What DNS servers are you using?

Barry
__________________
http://BlogSec.net
http://JobOyster.com
http://DealBert.net
IT Consultant specializing in high-performance Web Infrastructure and Security.
Astaro End-user since v1.x
  • ASL 9.2x, HP DL360G5 - FW, IPS, VPNs
  • ASL 9.2x, 2 Dell 1950's as WAF/proxy w HA
  • UTM 9.1x, Atom n270, 2GB RAM, 2 Intel GigE
    Netgear GS108T gigE switch & Astaro AP30 Access Point with 4 VLANs.
    60/60mbit FiOS internet.
  • Pending - UTM 9.2x, i5-4670, 4GB RAM, 2 Intel GigE
    Needs new NIC drivers before deploying
Reply With Quote
Senior Member
Join Date: Apr 2009
Location: Northern Delaware
Posts: 250
#5 (permalink)  
Old 07-06-2012, 06:47 PM
Default

Hi Barry,

I am using level 3 communications DNS servers. The same behavior was exhibited with Open DNS. This morning the DNS log contained one entry. I missed shutting down the action tech and print servers last night. Previous behavior had stopped. The entry was:
OASIS named[4115]: client 127.0.0.1#60136: RFC 1918 response from Internet for 2.1.168.192.in-addr.arpa. I have been gettin many of these entries in the DNS log. Later today I noticed some of the same activiy as eariler describe only the IP has changed to a Chinese address:
unexpected RCODE (REFUSED) resolving '104.76.218.222.in-addr.arpa/PTR/IN': 202.103.224.69#53. I have China, and Twian blocked using country blocking. The device stopped attempting to contact China about an hour later. Now we are seeing OASIS named[4115]: client 127.0.0.1#60136: RFC 1918 response from Internet for 2.1.168.192.in-addr.arpa again. This is very puzzling. I am reasonably sure a work station is not causing the entries. Using TCP View I can see the traffic from the PC. I am at a loss of how to proceed on this one. One other item, on 8.102 there rarely was a message OASIS named[4115]: client 127.0.0.1#60136: RFC 1918 response from Internet for 2.1.168.192.in-addr.arpa. This started with UTM 9. I wonder if some of the Rcode issues are related to network changes coming up on Monday related to the DNS changer virus. Either way I would like to figure out what is going on with both the Rcode and RFC 1918 issue.....

Regards,
Jim
Reply With Quote
Senior Member
Join Date: Apr 2009
Location: Northern Delaware
Posts: 250
#6 (permalink)  
Old 07-08-2012, 12:13 AM
Question

Barry,

I have discovered a new twist to the DNS log issue. Eariler today I had my work laptop on my home network. From the time I took it off at 1147 until now I have been receiving the following DNS proxy log entry:2012:07:07-20:02:03 OASIS named[4115]: client 127.0.0.1#41428: RFC 1918 response from Internet for 6.1.168.192.in-addr.arpa. It is not there how can a responce be generated? There has to be something I am missing. We are working on 8 hours where a device that was removed from network is creating errors....... Some guidence is needed.

Thanks,
Jim
Reply With Quote
Junior Member
Join Date: Jun 2010
Posts: 7
#7 (permalink)  
Old 09-25-2012, 04:04 PM
Default

Did you ever figure this out? I have an issue that looks like this too. And I am researching based on .cn country being blocked and .cn DNS request going out. Looking for the source of the requests which is eluding me...
Reply With Quote
MHV MHV is offline
Junior Member
Join Date: Mar 2013
Posts: 14
#8 (permalink)  
Old 03-26-2013, 05:11 PM
Default

I have the same log entries.

In my case, these entries show up every 15 minutes (:02, :17, :32, :47). These time stamps match up with a cron job called gen_inline_reporting_data.plx.

It looks like this job is generating a report, part of which involves trying to do a reverse lookup of IP addresses. Some of these are bound to fail (e.g., some youtube.com IP addresses won't allow a reverse lookup)
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,860
#9 (permalink)  
Old 03-26-2013, 09:18 PM
Default

Hi, MHV, and welcome to the User BB!

Try a google for site:astaro.org "unexpected RCODE (REFUSED)"

Any luck?

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
MHV MHV is offline
Junior Member
Join Date: Mar 2013
Posts: 14
#10 (permalink)  
Old 03-27-2013, 05:52 PM
Default

Quote:
Originally Posted by BAlfson View Post
Hi, MHV, and welcome to the User BB!

Try a google for site:astaro.org "unexpected RCODE (REFUSED)"

Any luck?

Cheers - Bob
Hi Bob, thanks for your response! Sorry, my post should have been clearer.
All I meant to convey was that the RCODE entries described above appear to be harmless (unless, of course, sites like youtube.com are in violation of the local network policy).
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 01:01 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.