In the event logs, I'm seeing a ton of errors from named, from the same two source IPs:
Code:
client 75.128.118.28#38038: query (cache) 'dr._dns-sd._udp.0.1.0.10.in-addr.arpa/PTR/IN' denied
client 75.128.118.28#39455: query (cache) 'r._dns-sd._udp.0.1.0.10.in-addr.arpa/PTR/IN' denied
client 75.128.118.28#46981: query (cache) 'db._dns-sd._udp.0.1.0.10.in-addr.arpa/PTR/IN' denied
client 75.128.118.28#34547: query (cache) 'b._dns-sd._udp.0.1.0.10.in-addr.arpa/PTR/IN' denied
client 75.128.118.28#44498: query (cache) 'lb._dns-sd._udp.0.1.0.10.in-addr.arpa/PTR/IN' denied
Also 24.231.247.70.
While DNS is installed on this server (Windows Server 2008), it's not serving any public records. All sites on the box use external DNS. The on-server DNS is for my convenience, for more easily updating DomainKeys and DKIM records. I actually disable DNS service on domains between updates, but I leave the DNS service up.
My understanding is that PTR is not on-server either, but an entry further upstream.
Should I just block this IP?
Both appear to be Charter servers. I use Charter as an ISP, but I'm not sure if this is related. I don't use my Charter email account at all, nor do I send/receive through their servers. In fact, I don't even use the Charter DNS because it's slow and crappy -- I use OpenDNS. If Charter is trying to request DNS records, it's looking at the wrong server.
This only started this month.
Any ideas?
.
.
Linear Mode
