my BIND 9.10.3 is logging strange entries like:
Jan 12 12:44:49 www named[24776]: client 117.136.25.126#18977: message parsing failed: FORMERR
Jan 12 12:50:47 www named[24776]: client 117.136.25.126#18978: message parsing failed: FORMERR
Jan 12 13:00:08 www named[24776]: client 117.136.95.15#24805: message parsing failed: FORMERR
117.136.95.15 is not in my network, and I don't allow recursion for anything but localhost, thus it must be for a zone I'm authoritative for.
This only started recently (Jan 5th). Looking at the log it seems, that only queries from:
# zfgrep "message parsing failed: FORMERR" daemon.log* | awk '{print $7}' |awk -F\. '{printf("%s.%s.x.x\n",$1,$2)}' | sort | uniq -c | sort -n
1 101.27.x.x
1 121.31.x.x
1 1.84.x.x
1 61.158.x.x
104 223.104.x.x
150 117.136.x.x
are causing this. Looking at the WHOIS info for those IPs:
inetnum: 117.128.0.0 - 117.191.255.255
netname: CMNET
descr: China Mobile Communications Corporation
descr: Mobile Communications Network Operator in China
descr: Internet Service Provider in China
country: CN
inetnum: 223.64.0.0 - 223.117.255.255
netname: CMNET
descr: China Mobile Communications Corporation
descr: Mobile Communications Network Operator in China
descr: Internet Service Provider in China
country: CN
Seems that DNS queries aren't well formatted. Maybe you have a network device corrupting UDP traffic, or maybe those IP are from a botnet searching for some exploitable DNS servers (that's what I think)
So, I took a tcpdump and was rewarded with quite a few packets from the same two networks, causing the same messages in my log.
Looking at the packets, nothing in their DNS payload seems to be correct:
In the field with the domain-name is a binary "0". DNS-Domain labels are length-encoded -- and a length of "0" indicates an "empty name" -- the root zone has the empty name.
But since the rest of the DNS payload also consists of almost exclusively zeroes, this is probably coincidence.
It could be and attack, but more likely broken software (like a firewall).