I had observed some traffic arriving at our recursive servers
which tried to connect to port 853 (the dns-over-tls port), so
I've now spun up an unbound to serve those requests.
Initially I'm running with query logging turned on, and I'm
slightly disappointed to report that all the queries I find
in the log conform to this pattern:
where a.b.c.d is the IP address of the client. There doesn't
appear to arrive other queries from the client, but the client
will repeat the probing periodically. Type 0 is supposed to be
used as a special indicator for the SIG(0) RR, and must not
otherwise be used, whereas class 0 is reserved (IN is class 1),
says RFC 6895.
Does anyone know what type of client does this? Since I don't
appear to receive other queries than these probes over dns-
over-tls I'm curious to know whether it's something wrong at my
end.
I have a properly signed certificate for the service; both the
name and the IP addresses are part of the certificate.
The reply looks like this when the client's IP address is refused by
unbound's access-control. When a local-zone refuses it, the query name
would be present in the reply.
Unbound simply won't parse the query from the unallowed source, and thus
the short reply contents.
The null TYPE0 CLASS0 is an artifact of that it doesn't parse it, and
then has nothing to print for log-replies.