store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Wed Apr 16, 2014 2:15 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: FORMERR resolving
Unread postPosted: Fri Oct 09, 2009 4:27 am 
Offline
Forum Regular
Forum Regular

Joined: Sun Jun 04, 2006 10:03 am
Posts: 122
Hello,

I am running plesk 8.6 on centos 5.x and I have been seeing a lot of these messages which are format errors on requests:

named[3018]: FORMERR resolving 'wanaboh.cn/NS/IN': 221.12.88.12#53

unfortunately its not one or two of them

# grep FORMERR /var/log/messages | wc -l
14989

what would be the best practice way of dealing with this issue?

Thank you in advance,

Nik


Top
 Profile  
 
 Post subject: Re: FORMERR resolving
Unread postPosted: Fri Oct 09, 2009 8:06 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7772
Location: earth
That can happen with internationalized domain names (given the .cn extension), basically youre trying to resolve something and the format of the response is invalid. It could be indicative of a spam attack, or if you allow recursion to named a DoS attack. If you add this to /etc/named.conf this will only allow recursion (ie querying for domains your server is not master/secondary for) only from localhost:

allow-recursion { localhost; };


Top
 Profile  
 
 Post subject: Re: FORMERR resolving
Unread postPosted: Fri Oct 09, 2009 8:50 am 
Offline
Forum Regular
Forum Regular

Joined: Sun Jun 04, 2006 10:03 am
Posts: 122
hmm something does not seem right here,

I remember doing this in the panel and I went in to check and Plesk says that its set to localhost
while /etc/named.conf begs to differ(localnets) which I think would cover this anyway (correct me here if I am wrong please)

In any case I set it back to localhost on /etc/named.conf and... lets see

Thank you,

Nik


Top
 Profile  
 
 Post subject: Re: FORMERR resolving
Unread postPosted: Fri Oct 09, 2009 8:58 am 
Offline
Forum Regular
Forum Regular

Joined: Sun Jun 04, 2006 10:03 am
Posts: 122
wow, that was quick to see results: (pasting just segments)

Oct 9 15:49:17 www named[11783]: running
Oct 9 15:54:54 www named[11783]: unexpected RCODE (SERVFAIL) resolving '55.233.160.95.in-addr.arpa/PTR/IN': 193.0.0.193#53
Oct 9 15:56:53 www named[11783]: FORMERR resolving 'ns5.6p4.ru/AAAA/IN': 222.186.30.143#53
Oct 9 15:56:58 www named[11783]: FORMERR resolving 'ns2.stillprove.com/AAAA/IN': 221.12.88.12#53


my /etc/resolv.conf has as a primary DNS my own (127.0.0.1) do you think I should change that to another DNS in the LAN?

please advise

Thank you in advance,

Nik


Top
 Profile  
 
 Post subject: Re: FORMERR resolving
Unread postPosted: Fri Oct 09, 2009 11:15 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7772
Location: earth
AAAA <- this means its trying to resolve an ipv6 hostname.

Otherwise using localhost is fine, that rule says that only the local machine can do recursive queries.


Top
 Profile  
 
 Post subject: Re: FORMERR resolving
Unread postPosted: Fri Oct 09, 2009 11:25 am 
Offline
Forum Regular
Forum Regular

Joined: Sun Jun 04, 2006 10:03 am
Posts: 122
I still get the :

Oct 9 18:23:22 www named[11783]: FORMERR resolving 'qejuhok.cn/NS/IN': 221.12.88.12#53

type of messages though.

Cheers,

Nik


Top
 Profile  
 
 Post subject: Re: FORMERR resolving
Unread postPosted: Fri Oct 09, 2009 12:48 pm 
Offline
Forum Regular
Forum Regular

Joined: Sun Jun 04, 2006 10:03 am
Posts: 122
more stats:

[root@www ~]# grep 222.186.30.143 /var/log/messages | wc -l
4267
[root@www ~]# grep 221.12.88.12 /var/log/messages | wc -l
3910
[root@www ~]# grep 211.91.237.4 /var/log/messages | wc -l
7051

its starting to look like an attack...


Top
 Profile  
 
 Post subject: Re: FORMERR resolving
Unread postPosted: Fri Oct 09, 2009 7:05 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3545
Location: Chantilly, VA
It may be. FORMERR is internally generated by bind when it doesn't like the format of the negative answer it got:

http://www.ietf.org/rfc/rfc2136.txt

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: FORMERR resolving
Unread postPosted: Fri Oct 09, 2009 10:21 pm 
Offline
Forum Regular
Forum Regular

Joined: Sun Jun 04, 2006 10:03 am
Posts: 122
Im thinking about adding a custom rule on ossec for it, you think it its worth it? Can you propose of a best practice interval to trigger it?

Cheers,

Nik


Top
 Profile  
 
 Post subject: Re: FORMERR resolving
Unread postPosted: Sat Oct 10, 2009 3:58 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
scott wrote:
If you add this to /etc/named.conf this will only allow recursion (ie querying for domains your server is not master/secondary for) only from localhost:

allow-recursion { localhost; };


There's a setting in Plesk for that: Settings > DNS Recursion Settings.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group