On Jul 15, 2011 12:36 PM, "Joshua Beard" <j...@hewbert.com> wrote: > > Greetings, > > I've noticed a specific client machine doing a crap load of reverse lookups in my named logs. It's just reverse lookups for our internal network, and just from that machine. I can't see that this machine is looking up anything else, actually. Here's an example: > 11-Jul-2011 08:11:00.997 client 172.30.116.116#53: view dsdk12.schoollocal: query: 99.115.30.172.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:01.116 client 172.30.116.116#53: view dsdk12.schoollocal: query: 75.241.40.208.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:01.392 client 172.30.116.116#53: view dsdk12.schoollocal: query: 1.162.30.172.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:01.393 client 172.30.116.116#53: view dsdk12.schoollocal: query: 150.160.30.172.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:01.590 client 172.30.116.116#53: view dsdk12.schoollocal: query: 25.96.30.172.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:01.680 client 172.30.116.116#53: view dsdk12.schoollocal: query: 2.130.30.172.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:01.940 client 172.30.116.116#53: view dsdk12.schoollocal: query: 40.207.115.66.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:01.940 client 172.30.116.116#53: view dsdk12.schoollocal: query: 22.114.30.172.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:02.588 client 172.30.116.116#53: view dsdk12.schoollocal: query: 55.98.30.172.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:02.785 client 172.30.116.116#53: view dsdk12.schoollocal: query: 179.112.30.172.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:02.786 client 172.30.116.116#53: view dsdk12.schoollocal: query: 105.248.250.17.in-addr.arpa IN PTR + (172.30.112.121) > > It appears to be non-stop. Middle of the night and through the day. I don't have physical access to the machine at this time, so I can't investigate too much. > > Is this abuse? If so, is it likely intentional?
There are many apps that can generate the volume of queries you are seeing. The query rate is really not that high. My first guess is some sort of logging tool, but there are a great many other possibilities. R. Kevin Oberman, Network Engineer Retired kob6...@gmail.com
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
