Print

[snarked]

I have rate limiting enabled in my DNS server.  I’m getting rate limiting messages in my system logs for DNS queries that appear to be from HE’s tunnel server.  Example:

11-Sep-2021 08:23:52.542 client @0x7fcf905af6e0 66.220.18.42#26678 (DELETED-bl.snarked.net): rate limit slip NODATA response to 66.220.18.0/24 for DELETED-bl.snarked.net IN  (2d03f8d7)

I see no reason for a tunnel server to be the source of a query for any hosted domain outside of HE itself.  Is there a security hole permitting them to be open resolvers?

I have masked the actual query by deleting part of it, but left enough of it to show that it is a DNSBL entry, not a hostname query.  Why would a tunnel server be checking my private list (and furthermore, the list being checked is not an IPv4, IPv6, or a domain name list, but something else)?  66.220.18.42 is the Los Angeles tunnel server endpoint address.