FORMERR resolving

Community support for Plesk, CPanel, WebMin and others with insight from two of the founders of Plesk. Ask for help here! No question is too simple or complicated. :-)
npavlidis
Forum Regular
Forum Regular
Posts: 122
Joined: Sun Jun 04, 2006 10:03 am

FORMERR resolving

Unread post by npavlidis »

Hello,

I am running plesk 8.6 on centos 5.x and I have been seeing a lot of these messages which are format errors on requests:

named[3018]: FORMERR resolving 'wanaboh.cn/NS/IN': 221.12.88.12#53

unfortunately its not one or two of them

# grep FORMERR /var/log/messages | wc -l
14989

what would be the best practice way of dealing with this issue?

Thank you in advance,

Nik
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: FORMERR resolving

Unread post by scott »

That can happen with internationalized domain names (given the .cn extension), basically youre trying to resolve something and the format of the response is invalid. It could be indicative of a spam attack, or if you allow recursion to named a DoS attack. If you add this to /etc/named.conf this will only allow recursion (ie querying for domains your server is not master/secondary for) only from localhost:

allow-recursion { localhost; };
npavlidis
Forum Regular
Forum Regular
Posts: 122
Joined: Sun Jun 04, 2006 10:03 am

Re: FORMERR resolving

Unread post by npavlidis »

hmm something does not seem right here,

I remember doing this in the panel and I went in to check and Plesk says that its set to localhost
while /etc/named.conf begs to differ(localnets) which I think would cover this anyway (correct me here if I am wrong please)

In any case I set it back to localhost on /etc/named.conf and... lets see

Thank you,

Nik
npavlidis
Forum Regular
Forum Regular
Posts: 122
Joined: Sun Jun 04, 2006 10:03 am

Re: FORMERR resolving

Unread post by npavlidis »

wow, that was quick to see results: (pasting just segments)

Oct 9 15:49:17 www named[11783]: running
Oct 9 15:54:54 www named[11783]: unexpected RCODE (SERVFAIL) resolving '55.233.160.95.in-addr.arpa/PTR/IN': 193.0.0.193#53
Oct 9 15:56:53 www named[11783]: FORMERR resolving 'ns5.6p4.ru/AAAA/IN': 222.186.30.143#53
Oct 9 15:56:58 www named[11783]: FORMERR resolving 'ns2.stillprove.com/AAAA/IN': 221.12.88.12#53


my /etc/resolv.conf has as a primary DNS my own (127.0.0.1) do you think I should change that to another DNS in the LAN?

please advise

Thank you in advance,

Nik
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: FORMERR resolving

Unread post by scott »

AAAA <- this means its trying to resolve an ipv6 hostname.

Otherwise using localhost is fine, that rule says that only the local machine can do recursive queries.
npavlidis
Forum Regular
Forum Regular
Posts: 122
Joined: Sun Jun 04, 2006 10:03 am

Re: FORMERR resolving

Unread post by npavlidis »

I still get the :

Oct 9 18:23:22 www named[11783]: FORMERR resolving 'qejuhok.cn/NS/IN': 221.12.88.12#53

type of messages though.

Cheers,

Nik
npavlidis
Forum Regular
Forum Regular
Posts: 122
Joined: Sun Jun 04, 2006 10:03 am

Re: FORMERR resolving

Unread post by npavlidis »

more stats:

[root@www ~]# grep 222.186.30.143 /var/log/messages | wc -l
4267
[root@www ~]# grep 221.12.88.12 /var/log/messages | wc -l
3910
[root@www ~]# grep 211.91.237.4 /var/log/messages | wc -l
7051

its starting to look like an attack...
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: FORMERR resolving

Unread post by mikeshinn »

It may be. FORMERR is internally generated by bind when it doesn't like the format of the negative answer it got:

http://www.ietf.org/rfc/rfc2136.txt
npavlidis
Forum Regular
Forum Regular
Posts: 122
Joined: Sun Jun 04, 2006 10:03 am

Re: FORMERR resolving

Unread post by npavlidis »

Im thinking about adding a custom rule on ossec for it, you think it its worth it? Can you propose of a best practice interval to trigger it?

Cheers,

Nik
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: FORMERR resolving

Unread post by breun »

scott wrote:If you add this to /etc/named.conf this will only allow recursion (ie querying for domains your server is not master/secondary for) only from localhost:

allow-recursion { localhost; };
There's a setting in Plesk for that: Settings > DNS Recursion Settings.
Lemonbit Internet Dedicated Server Management
Post Reply