FORMERR resolving
FORMERR resolving
Hello,
I am running plesk 8.6 on centos 5.x and I have been seeing a lot of these messages which are format errors on requests:
named[3018]: FORMERR resolving 'wanaboh.cn/NS/IN': 221.12.88.12#53
unfortunately its not one or two of them
# grep FORMERR /var/log/messages | wc -l
14989
what would be the best practice way of dealing with this issue?
Thank you in advance,
Nik
I am running plesk 8.6 on centos 5.x and I have been seeing a lot of these messages which are format errors on requests:
named[3018]: FORMERR resolving 'wanaboh.cn/NS/IN': 221.12.88.12#53
unfortunately its not one or two of them
# grep FORMERR /var/log/messages | wc -l
14989
what would be the best practice way of dealing with this issue?
Thank you in advance,
Nik
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: FORMERR resolving
That can happen with internationalized domain names (given the .cn extension), basically youre trying to resolve something and the format of the response is invalid. It could be indicative of a spam attack, or if you allow recursion to named a DoS attack. If you add this to /etc/named.conf this will only allow recursion (ie querying for domains your server is not master/secondary for) only from localhost:
allow-recursion { localhost; };
allow-recursion { localhost; };
Re: FORMERR resolving
hmm something does not seem right here,
I remember doing this in the panel and I went in to check and Plesk says that its set to localhost
while /etc/named.conf begs to differ(localnets) which I think would cover this anyway (correct me here if I am wrong please)
In any case I set it back to localhost on /etc/named.conf and... lets see
Thank you,
Nik
I remember doing this in the panel and I went in to check and Plesk says that its set to localhost
while /etc/named.conf begs to differ(localnets) which I think would cover this anyway (correct me here if I am wrong please)
In any case I set it back to localhost on /etc/named.conf and... lets see
Thank you,
Nik
Re: FORMERR resolving
wow, that was quick to see results: (pasting just segments)
Oct 9 15:49:17 www named[11783]: running
Oct 9 15:54:54 www named[11783]: unexpected RCODE (SERVFAIL) resolving '55.233.160.95.in-addr.arpa/PTR/IN': 193.0.0.193#53
Oct 9 15:56:53 www named[11783]: FORMERR resolving 'ns5.6p4.ru/AAAA/IN': 222.186.30.143#53
Oct 9 15:56:58 www named[11783]: FORMERR resolving 'ns2.stillprove.com/AAAA/IN': 221.12.88.12#53
my /etc/resolv.conf has as a primary DNS my own (127.0.0.1) do you think I should change that to another DNS in the LAN?
please advise
Thank you in advance,
Nik
Oct 9 15:49:17 www named[11783]: running
Oct 9 15:54:54 www named[11783]: unexpected RCODE (SERVFAIL) resolving '55.233.160.95.in-addr.arpa/PTR/IN': 193.0.0.193#53
Oct 9 15:56:53 www named[11783]: FORMERR resolving 'ns5.6p4.ru/AAAA/IN': 222.186.30.143#53
Oct 9 15:56:58 www named[11783]: FORMERR resolving 'ns2.stillprove.com/AAAA/IN': 221.12.88.12#53
my /etc/resolv.conf has as a primary DNS my own (127.0.0.1) do you think I should change that to another DNS in the LAN?
please advise
Thank you in advance,
Nik
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: FORMERR resolving
AAAA <- this means its trying to resolve an ipv6 hostname.
Otherwise using localhost is fine, that rule says that only the local machine can do recursive queries.
Otherwise using localhost is fine, that rule says that only the local machine can do recursive queries.
Re: FORMERR resolving
I still get the :
Oct 9 18:23:22 www named[11783]: FORMERR resolving 'qejuhok.cn/NS/IN': 221.12.88.12#53
type of messages though.
Cheers,
Nik
Oct 9 18:23:22 www named[11783]: FORMERR resolving 'qejuhok.cn/NS/IN': 221.12.88.12#53
type of messages though.
Cheers,
Nik
Re: FORMERR resolving
more stats:
[root@www ~]# grep 222.186.30.143 /var/log/messages | wc -l
4267
[root@www ~]# grep 221.12.88.12 /var/log/messages | wc -l
3910
[root@www ~]# grep 211.91.237.4 /var/log/messages | wc -l
7051
its starting to look like an attack...
[root@www ~]# grep 222.186.30.143 /var/log/messages | wc -l
4267
[root@www ~]# grep 221.12.88.12 /var/log/messages | wc -l
3910
[root@www ~]# grep 211.91.237.4 /var/log/messages | wc -l
7051
its starting to look like an attack...
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: FORMERR resolving
It may be. FORMERR is internally generated by bind when it doesn't like the format of the negative answer it got:
http://www.ietf.org/rfc/rfc2136.txt
http://www.ietf.org/rfc/rfc2136.txt
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: FORMERR resolving
Im thinking about adding a custom rule on ossec for it, you think it its worth it? Can you propose of a best practice interval to trigger it?
Cheers,
Nik
Cheers,
Nik
-
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
Re: FORMERR resolving
There's a setting in Plesk for that: Settings > DNS Recursion Settings.scott wrote:If you add this to /etc/named.conf this will only allow recursion (ie querying for domains your server is not master/secondary for) only from localhost:
allow-recursion { localhost; };
Lemonbit Internet Dedicated Server Management