Atomicorp

Hello,

I am running plesk 8.6 on centos 5.x and I have been seeing a lot of these messages which are format errors on requests:

named[3018]: FORMERR resolving 'wanaboh.cn/NS/IN': 221.12.88.12#53

unfortunately its not one or two of them

# grep FORMERR /var/log/messages | wc -l
14989

what would be the best practice way of dealing with this issue?

Thank you in advance,

Nik

That can happen with internationalized domain names (given the .cn extension), basically youre trying to resolve something and the format of the response is invalid. It could be indicative of a spam attack, or if you allow recursion to named a DoS attack. If you add this to /etc/named.conf this will only allow recursion (ie querying for domains your server is not master/secondary for) only from localhost:

allow-recursion { localhost; };

hmm something does not seem right here,

I remember doing this in the panel and I went in to check and Plesk says that its set to localhost
while /etc/named.conf begs to differ(localnets) which I think would cover this anyway (correct me here if I am wrong please)

In any case I set it back to localhost on /etc/named.conf and... lets see

Thank you,

Nik

wow, that was quick to see results: (pasting just segments)

Oct 9 15:49:17 www named[11783]: running
Oct 9 15:54:54 www named[11783]: unexpected RCODE (SERVFAIL) resolving '55.233.160.95.in-addr.arpa/PTR/IN': 193.0.0.193#53
Oct 9 15:56:53 www named[11783]: FORMERR resolving 'ns5.6p4.ru/AAAA/IN': 222.186.30.143#53
Oct 9 15:56:58 www named[11783]: FORMERR resolving 'ns2.stillprove.com/AAAA/IN': 221.12.88.12#53


my /etc/resolv.conf has as a primary DNS my own (127.0.0.1) do you think I should change that to another DNS in the LAN?

please advise

Thank you in advance,

Nik

AAAA <- this means its trying to resolve an ipv6 hostname.

Otherwise using localhost is fine, that rule says that only the local machine can do recursive queries.

I still get the :

Oct 9 18:23:22 www named[11783]: FORMERR resolving 'qejuhok.cn/NS/IN': 221.12.88.12#53

type of messages though.

Cheers,

Nik

more stats:

[root@www ~]# grep 222.186.30.143 /var/log/messages | wc -l
4267
[root@www ~]# grep 221.12.88.12 /var/log/messages | wc -l
3910
[root@www ~]# grep 211.91.237.4 /var/log/messages | wc -l
7051

its starting to look like an attack...

It may be. FORMERR is internally generated by bind when it doesn't like the format of the negative answer it got:

http://www.ietf.org/rfc/rfc2136.txt

Im thinking about adding a custom rule on ossec for it, you think it its worth it? Can you propose of a best practice interval to trigger it?

Cheers,

Nik

scott wrote:If you add this to /etc/named.conf this will only allow recursion (ie querying for domains your server is not master/secondary for) only from localhost:

allow-recursion { localhost; };

There's a setting in Plesk for that: Settings > DNS Recursion Settings.