dns errors

franrtorres77 · January 14, 2016, 6:17pm

Hello.

I’m receiving some errors in my logs about dns queries during all the day, these are:

,18:05:49,10.100.1.1,“dns,packet — sending udp query to 8.8.8.8:53:”
,18:05:49,10.100.1.1,“dns,packet id:2c47 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY ‘no error’”
,18:05:49,10.100.1.1,“dns,packet question: 72.11.100.10.in-addr.arpa:PTR:IN”
,18:05:49,10.100.1.1,“dns,packet — got answer from 8.8.8.8:53:”
,18:05:49,10.100.1.1,“dns,packet id:2c47 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY ‘name error’”
,18:05:49,10.100.1.1,“dns,packet question: 72.11.100.10.in-addr.arpa:PTR:IN”
,18:05:49,10.100.1.1,dns done query: #1 dns name does not exist
,18:34:27,10.100.1.1,dns local query: #1 137.10.100.10.in-addr.arpa. PTR
,18:34:27,10.100.1.1,“dns,packet — sending udp query to 8.8.8.8:53:”
,18:34:27,10.100.1.1,“dns,packet id:db69 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY ‘no error’”
,18:34:27,10.100.1.1,“dns,packet question: 137.10.100.10.in-addr.arpa:PTR:IN”
,18:34:27,10.100.1.1,“dns,packet — got answer from 8.8.8.8:53:”
,18:34:27,10.100.1.1,“dns,packet id:db69 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY ‘name error’”
,18:34:27,10.100.1.1,“dns,packet question: 137.10.100.10.in-addr.arpa:PTR:IN”
,18:34:27,10.100.1.1,dns done query: #1 dns name does not exist

Does anyone knows what’s happening?

Zorro · January 14, 2016, 7:52pm

probably something Google-unsuported in DNS-queries(like regional, non-ANSI charset and some options of DNS traffic, mabye(but less likely).
do you tried to reproduce it with other Public DNS providers ? (if you prefer Corporate ones for some mysterious reasons bit more - try opendns, he n etc)

IntrusDave · January 14, 2016, 8:22pm

10.100.11.72 is a private address (falling in the 10.0.0.0/8 subnet). Google will never answer a query to any private or bogon IP.

ZeroByte · January 14, 2016, 9:01pm

This is exactly right.

To elaborate how you can interpret the logs:

The first row is a log of your router sending a question, asking for reverse DNS on 10.100.10.137
(PTR is a reverse DNS record type)
a reverse DNS request is made by putting the 4 octets in reverse order (137.10.100.10) and then adding .in-addr.arpa. to the end of it and the resulting name is what you see in the first log entry.

The 2nd entry is obviously logging the fact that you got a reply from Google’s DNS (8.8.8. - so this means that the basic DNS communication is working.

3rd entry - the answer was that you made an error (google said “name error” to you)

The last two lines show which question the error was for, and that the error was that the name doesn’t exist.

As IntrusDave says, this is normal because public DNS cannot have a name for a private IP address.
You could put hostnames into your DNS configuration as static entries
e.g. router = 10.100.10.1 , etc.

Zorro · January 14, 2016, 11:22pm

right. but thats WHY they should respon/threat thraffic from it - Properly.
not by malformed DNS output, but reject it earlier.

IntrusDave · January 14, 2016, 11:39pm

There is no issue. The DNS response is exactly what it should be. The correct solution is to put static entries in the local DNS resolver, or ignore the messages. Alternatively, you could filter UDP/53 and block anything with the local subnet in the content. But really, if you want your local LAN to run smoother, you should do the static entries.

Zorro · January 15, 2016, 9:12pm

“correct answer” was to prohbit bogons from even reaching services/networks, generally.
aswell as other “non-routable” things.