Possible attack? Funny DNS requests

[bAgZ]

Hi there i am wondering if anyone can help me out. I have a Linux server hosting about 70 domains. Lately i have been noticing in my logs /var/log/messages following requests

Feb 10 02:43:42 gipsy named[572]: lame server resolving '83.52.225.82.ipwhois.rfc-ignorant.org' (in 'ipwhois.rfc-ignorant.org'?): 127.0.0.1#53
Feb 10 02:43:55 gipsy named[572]: lame server resolving '53.16.22.216.ipwhois.rfc-ignorant.org' (in 'ipwhois.rfc-ignorant.org'?): 127.0.0.1#53

Sometimes its up to three a second. Searched on google for similar behavior and found nothing. Has anyone seen this before? Could it be that my server is blacklisted? Or could it be some kind of hack?

[Cemetric]

Hello bAgZ,

As I can see it I think there is a problem in your DNS config as at the end of the lines you copied in you post you can see the 127.0.0.1 home address.

Now I could be mistaking but I think you need to check your config.

Also if you google just a portion of the log like lame server resolving you can find lots of articles about your specific problem , just click the link and click on the first article there ..you'll find some interesting stuff allready.
If you DIG a bit deeper I'm sure you'll find lots more.

Gr33tz,

C.

[Maestr0]

A lame server is a DNS server that claims to be or should be authorative for a zone but isnt. Theres plenty of these out there.


-Maestr0

if you dont want them logged, just change /etc/named.conf.

logging {
category lame-servers {null; };
};

[bAgZ]

Thanks for thehelp. Just to clarify i do run a DNS server and never had any problems this only started from 9 feb. Anyway i will look into the config one more time.