Monday, November 16, 2009

bind

SkyHi @ Monday, November 16, 2009
In /var/log/messages, I'm getting lots of weird entries:

Mar 23 19:54:15 named[1319]: client 127.0.0.1#55094: query: com.com IN A +
Mar 23 19:55:15 named[1319]: client 127.0.0.1#55094: query: gondasnailart.com IN AAAA +
Mar 23 19:55:15 named[1319]: FORMERR resolving 'gondasnailart.com/AAAA/IN': 195.50.105.199#53
Mar 23 19:55:15 named[1319]: FORMERR resolving 'gondasnailart.com/AAAA/IN': 195.50.105.198#53
Mar 23 19:55:15 named[1319]: client 127.0.0.1#55094: query: gondasnailart.com IN AAAA +
Mar 23 19:55:15 named[1319]: FORMERR resolving 'gondasnailart.com/AAAA/IN': 195.50.105.198#53
Mar 23 19:55:15 named[1319]: FORMERR resolving 'gondasnailart.com/AAAA/IN': 195.50.105.199#53
Mar 23 19:55:15 named[1319]: client 127.0.0.1#55094: query: gondasnailart.com IN AAAA +
Mar 23 19:55:16 named[1319]: FORMERR resolving 'gondasnailart.com/AAAA/IN': 195.50.105.199#53
Mar 23 19:55:16 named[1319]: FORMERR resolving 'gondasnailart.com/AAAA/IN': 195.50.105.198#53
Mar 23 19:55:16 named[1319]: client 127.0.0.1#55094: query: gondasnailart.com IN AAAA +
Mar 23 19:55:16 named[1319]: FORMERR resolving 'gondasnailart.com/AAAA/IN': 195.50.105.198#53
Mar 23 19:55:16 named[1319]: FORMERR resolving 'gondasnailart.com/AAAA/IN': 195.50.105.199#53
Mar 23 19:55:16 named[1319]: client 127.0.0.1#55094: query: gondasnailart.com IN A +
Mar 23 19:55:16 named[1319]: client 127.0.0.1#55094: query: gondasnailart.com IN MX +
Mar 23 19:55:16 named[1319]: FORMERR resolving 'gondasnailart.com/MX/IN': 195.50.105.199#53
Mar 23 19:55:16 named[1319]: FORMERR resolving 'gondasnailart.com/MX/IN': 195.50.105.198#53
Mar 23 19:55:16 named[1319]: client 127.0.0.1#55094: query: gondasnailart.com IN MX +
Mar 23 19:55:16 named[1319]: FORMERR resolving 'gondasnailart.com/MX/IN': 195.50.105.198#53
Mar 23 19:55:17 named[1319]: FORMERR resolving 'gondasnailart.com/MX/IN': 195.50.105.199#53
Mar 23 19:55:17 named[1319]: client 127.0.0.1#55094: query: gondasnailart.com IN MX +
Mar 23 19:55:17 named[1319]: FORMERR resolving 'gondasnailart.com/MX/IN': 195.50.105.199#53
Mar 23 19:55:17 named[1319]: FORMERR resolving 'gondasnailart.com/MX/IN': 195.50.105.198#53
Mar 23 19:55:17 named[1319]: client 127.0.0.1#55094: query: gondasnailart.com IN MX +
Mar 23 19:55:17 named[1319]: FORMERR resolving 'gondasnailart.com/MX/IN': 195.50.105.198#53
Mar 23 19:55:17 named[1319]: FORMERR resolving 'gondasnailart.com/MX/IN': 195.50.105.199#53

There are lots of other weird entries like this to other sites that are presumably spam:
Mar 23 19:07:06 named[1319]: client 82.165.148.17#3509: query: DBDIGITALSYSTEMS.COM IN A +
Mar 23 19:07:06 named[1319]: client 82.165.148.17#3510: query: RSTEDT.COM IN CNAME +
Mar 23 19:07:10 named[1319]: client 82.165.148.17#3973: query: UTEC-INT.COM IN A +
Mar 23 19:07:10 named[1319]: client 82.165.148.17#3974: query: JAUDODESIGN.COM IN CNAME +
Mar 23 19:07:10 named[1319]: client 82.165.148.17#4033: query: VOIP-PORTAL.NET IN A +
Mar 23 19:07:12 named[1319]: client 82.165.148.17#4196: query: FIRSTTIMEGAYSTORY.COM IN A +
Mar 23 19:07:12 named[1319]: client 82.165.148.17#4198: query: HBAILEN.COM IN CNAME +
Mar 23 19:07:12 named[1319]: client 82.165.148.17#4199: query: CALIFORNIAGUYZ.COM IN CNAME +
Mar 23 19:07:12 named[1319]: client 82.165.148.17#4200: query: SANTOSRESTORATION.COM IN A +
Mar 23 19:07:16 named[1319]: lame server resolving 'SANTOSRESTORATION.COM' (in 'SANTOSRESTORATION.com'?): 65.61.199.13#53
Mar 23 19:07:16 named[1319]: lame server resolving 'SANTOSRESTORATION.COM' (in 'SANTOSRESTORATION.com'?): 65.61.198.13#53
Mar 23 19:07:17 named[1319]: client 82.165.148.17#4826: query: DSTAXI.COM IN A +
Mar 23 19:07:31 named[1319]: client 82.165.148.17#2160: query: ALBERTLEA.NET IN A +
Mar 23 19:07:41 named[1319]: client 82.165.148.17#3313: query: PDQELECTRICAL.COM IN A +
Mar 23 19:07:41 named[1319]: client 82.165.148.17#3315: query: SONGICON.COM IN CNAME +
Mar 23 19:07:41 named[1319]: client 82.165.148.17#3316: query: MARKETCLEAR.NET IN CNAME +
Mar 23 19:07:41 named[1319]: client 82.165.148.17#3317: query: BAREKNUCKLEEXTREME.COM IN CNAME +
Mar 23 19:07:45 named[1319]: FORMERR resolving 'SONGICON.COM/CNAME/IN': 72.32.71.213#53
Mar 23 19:07:45 named[1319]: FORMERR resolving 'BAREKNUCKLEEXTREME.COM/CNAME/IN': 204.13.160.15#53
Mar 23 19:07:45 named[1319]: FORMERR resolving 'BAREKNUCKLEEXTREME.COM/CNAME/IN': 204.13.161.15#53
Mar 23 19:07:45 named[1319]: FORMERR resolving 'ns1.dsredirection.com/AAAA/IN': 204.13.160.15#53
Mar 23 19:07:45 named[1319]: FORMERR resolving 'ns2.dsredirection.COM/AAAA/IN': 204.13.160.15#53
Mar 23 19:07:45 named[1319]: FORMERR resolving 'ns1.dsredirection.com/AAAA/IN': 204.13.161.15#53
Mar 23 19:07:45 named[1319]: FORMERR resolving 'ns2.dsredirection.COM/AAAA/IN': 204.13.161.15#53
Mar 23 19:07:45 named[1319]: FORMERR resolving 'SONGICON.COM/CNAME/IN': 72.32.71.212#53

Solution:
The FORMERR is a "FORMAT ERROR" message. Likely because you are trying to resolve IPv6 addresses (aka AAAA record). Try turning off IPv6 in both Named and your mail server.

There also appears to be a problem resolving MX (mail exchange) records. Not sure why that is occurring.

Do the IP addresses belong to your network or are they unknown remote hosts?


Reference: http://www.linuxquestions.org/questions/linux-security-4/varlogmessages-problem-540090/