Weird named entries in /var/log/messages

S

Scr33x0r

Verified User
Joined
Jul 24, 2006
Messages
27
Code: 
Jan 19 15:54:09 web01 named[26794]: FORMERR resolving 'dns2.suddenyet.com/AAAA/IN': 79.135.168.145#53
Jan 19 15:54:09 web01 named[26794]: FORMERR resolving 'dns1.suddenyet.com/AAAA/IN': 79.135.168.145#53
Jan 19 15:54:09 web01 named[26794]: FORMERR resolving 'dns2.suddenyet.com/AAAA/IN': 59.63.157.212#53
Jan 19 15:54:09 web01 named[26794]: FORMERR resolving 'dns1.suddenyet.com/AAAA/IN': 59.63.157.212#53
Jan 19 15:54:10 web01 named[26794]: FORMERR resolving 'areasimilar.com/NS/IN': 59.63.157.212#53
Jan 19 15:54:10 web01 named[26794]: FORMERR resolving 'areasimilar.com/NS/IN': 79.135.168.145#53
Jan 19 15:56:11 web01 named[26794]: FORMERR resolving 'powerinstrument.com/NS/IN': 79.135.168.145#53
Jan 19 15:56:11 web01 named[26794]: FORMERR resolving 'powerinstrument.com/NS/IN': 59.63.157.212#53
Jan 19 15:56:11 web01 named[26794]: FORMERR resolving 'pts2.feetdraw.com/AAAA/IN': 79.135.168.145#53
Jan 19 15:56:11 web01 named[26794]: FORMERR resolving 'pts1.feetdraw.com/AAAA/IN': 79.135.168.145#53
Jan 19 15:56:12 web01 named[26794]: FORMERR resolving 'pts2.feetdraw.com/AAAA/IN': 59.63.157.212#53
Jan 19 15:56:12 web01 named[26794]: FORMERR resolving 'pts1.feetdraw.com/AAAA/IN': 59.63.157.212#53
Jan 19 15:56:14 web01 named[26794]: FORMERR resolving 'pts2.feetdraw.com/AAAA/IN': 59.63.157.212#53
Jan 19 15:56:14 web01 named[26794]: FORMERR resolving 'pts1.feetdraw.com/AAAA/IN': 59.63.157.212#53
Jan 19 15:56:14 web01 named[26794]: FORMERR resolving 'pts2.feetdraw.com/AAAA/IN': 79.135.168.145#53
Jan 19 15:56:14 web01 named[26794]: FORMERR resolving 'pts1.feetdraw.com/AAAA/IN': 79.135.168.145#53
Jan 19 15:58:53 web01 named[26794]: lame server resolving 'caury.de' (in 'caury.de'?): 87.118.125.94#53
Jan 19 15:58:53 web01 named[26794]: lame server resolving 'caury.de' (in 'caury.de'?): 87.118.124.94#53
Jan 19 15:59:40 web01 named[26794]: lame server resolving '20.177.71.116.in-addr.arpa' (in '71.116.in-addr.arpa'?): 203.99.163.243#53
Jan 19 15:59:40 web01 named[26794]: lame server resolving '20.177.71.116.in-addr.arpa' (in '71.116.in-addr.arpa'?): 203.99.163.240#53
Jan 19 15:59:40 web01 named[26794]: lame server resolving 'ns1.ptcl.net' (in 'ptcl.net'?): 203.99.163.240#53
Jan 19 15:59:40 web01 named[26794]: lame server resolving 'ns2.ptcl.net' (in 'ptcl.net'?): 203.99.163.240#53
Jan 19 15:59:40 web01 named[26794]: lame server resolving 'ns1.ptcl.net' (in 'ptcl.net'?): 203.99.163.243#53
Jan 19 15:59:40 web01 named[26794]: lame server resolving 'ns2.ptcl.net' (in 'ptcl.net'?): 203.99.163.243#53
Jan 19 16:01:31 web01 named[26794]: lame server resolving '11-59-179-94.pool.ukrtel.net' (in 'ukrtel.net'?): 198.6.1.82#53
Jan 19 16:03:12 web01 named[26794]: FORMERR resolving 'powerinstrument.com/NS/IN': 79.135.168.145#53
Jan 19 16:03:12 web01 named[26794]: FORMERR resolving 'powerinstrument.com/NS/IN': 59.63.157.212#53
Jan 19 16:03:16 web01 named[26794]: FORMERR resolving 'pts1.feetdraw.com/AAAA/IN': 79.135.168.145#53
Jan 19 16:03:16 web01 named[26794]: FORMERR resolving 'pts2.feetdraw.com/AAAA/IN': 79.135.168.145#53
Jan 19 16:03:16 web01 named[26794]: FORMERR resolving 'pts1.feetdraw.com/AAAA/IN': 59.63.157.212#53
Jan 19 16:03:16 web01 named[26794]: FORMERR resolving 'pts2.feetdraw.com/AAAA/IN': 59.63.157.212#53
Jan 19 16:03:20 web01 named[26794]: FORMERR resolving 'pts1.feetdraw.com/AAAA/IN': 79.135.168.145#53
Jan 19 16:03:20 web01 named[26794]: FORMERR resolving 'pts2.feetdraw.com/AAAA/IN': 79.135.168.145#53
Jan 19 16:03:20 web01 named[26794]: FORMERR resolving 'pts1.feetdraw.com/AAAA/IN': 59.63.157.212#53
Jan 19 16:03:20 web01 named[26794]: FORMERR resolving 'pts2.feetdraw.com/AAAA/IN': 59.63.157.212#53
Jan 19 16:03:28 web01 named[26794]: lame server resolving 'acidcustom.com' (in 'acidcustom.com'?): 72.232.177.114#53
Jan 19 16:03:31 web01 named[26794]: unexpected RCODE (SERVFAIL) resolving 'jetworld.com/MX/IN': 66.186.8.221#53
Jan 19 16:07:06 web01 named[26794]: FORMERR resolving 'powerinstrument.com/NS/IN': 59.63.157.212#53
Jan 19 16:07:06 web01 named[26794]: FORMERR resolving 'pts1.feetdraw.com/AAAA/IN': 59.63.157.212#53
Jan 19 16:07:06 web01 named[26794]: FORMERR resolving 'pts2.feetdraw.com/AAAA/IN': 59.63.157.212#53
Jan 19 16:07:06 web01 named[26794]: FORMERR resolving 'pts1.feetdraw.com/AAAA/IN': 79.135.168.145#53
Jan 19 16:07:06 web01 named[26794]: FORMERR resolving 'pts2.feetdraw.com/AAAA/IN': 79.135.168.145#53
Jan 19 16:07:08 web01 named[26794]: FORMERR resolving 'powerinstrument.com/NS/IN': 79.135.168.145#53
Jan 19 16:07:09 web01 named[26794]: FORMERR resolving 'pts2.feetdraw.com/AAAA/IN': 59.63.157.212#53
Jan 19 16:07:09 web01 named[26794]: FORMERR resolving 'pts1.feetdraw.com/AAAA/IN': 59.63.157.212#53
Jan 19 16:07:11 web01 named[26794]: FORMERR resolving 'pts2.feetdraw.com/AAAA/IN': 79.135.168.145#53
Jan 19 16:07:11 web01 named[26794]: FORMERR resolving 'pts1.feetdraw.com/AAAA/IN': 79.135.168.145#53
Jan 19 16:08:51 web01 named[26794]: FORMERR resolving 'premium-klassen24.com/NS/IN': 93.92.42.3#53

And at the sametime I'm receiving complaints about e-mail sent to our customers which dont arrive, however, I cant find any log entries for those. Is it related or not and how can i solve the FORMERR and unexpected RCODE (SERVFAIL) resolving?

The people who try to send to my customers do not always get an error, but one got the following error:
Code: 
Thu Jan 15 20:11:44 2009 Info: Connection Error: DCID: 6531428
domain:xxx.com IP: 83.149.82.xxx
port: 25 details: EOF interface: 89.146.30.xx reason: network error.
 
Do you have recursive lookups turned on? If so, turn it off.

Recursive lookups allow your DNS servers to respond to dns requests even if the domain names don't reside on your boxes.

I'm just guessing that that is the problem here. I'm probably wrong.
 
Scr33x0r said:
The people who try to send to my customers do not always get an error, but one got the following error:
Code: 
Thu Jan 15 20:11:44 2009 Info: Connection Error: DCID: 6531428
domain:xxx.com IP: 83.149.82.xxx
port: 25 details: EOF interface: 89.146.30.xx reason: network error.
Click to expand...
Where is he getting this error?

Jeff
 
Also I do have some strange messages in the Syslog file.

Jan 20 16:15:11 server named[7235]: client 66.230.128.15#42244: query (cache) './NS/IN' denied
Jan 20 16:15:12 server named[7235]: client 66.230.160.1#25499: query (cache) './NS/IN' denied
Click to expand...
Of the past severals days, I have this. My log files are WAY to big because this happens multiple times a seconde... According to the internet, it is a DNS DDOS attack with spoofed IP's. It is very annoying because bfd or afp firewall wont help with this (only when i am checking the server my self and denied them with apf / iptables..)

Anybody found a simple sollution for this?
 
Scr33x0r said:
Its in a bounced e-mailmessage (from his mailer deamon)
Click to expand...
Then check the logs on your server.
About the recursive queries, is there a way i can allow recursive for some IP's?
Click to expand...
Yes, if you really want to you can. There's plenty of information in onlind BIND documentation.

I bought a copy of DNS and BIND; it's a great book.

Jeff
 
I've already figured it out, cause I will allow recursive queries within my servers now I made an acl with all the servers listed and allow-recursive{"acl_name";}; It works like a charm!

About the e-mail, it was due to my old version of exim and the backups i put back from a newer version of exim (the backups were 4.69 and the software was 4.60), it caused strange connection errors and since i've updated all e-mails are comming in again..
 
You must log in or register to reply here.
Back
Top