too much activity

Barry Margolin barmar at alum.mit.edu
Tue Aug 10 00:23:54 UTC 2004


In article <cf91po$23pp$1 at sf1.isc.org>,
 Markus Plannerer <mp at No.erpa.Spam.de> wrote:

> Hello,
> 
> we have updated from BIND8 to BIND9 and in the new
> named.conf logging is enabled by:
> logging {
> 	channel query_logging {
> 		file "/var/log/named_querylog"
> 			versions 3 size 100M;
> 		print-time yes;			// timestamp log entries
> 	};
> 	category queries {
> 		query_logging;
> 	};
> 	category lame-servers { null; };
> };
> 
> Now there is every second a entry in the log like:
> Aug 09 20:05:17.017 client 127.0.0.1#32844: query: 
> 130.15.227.212.in-addr.arpa IN PTR
> Aug 09 20:05:18.028 client 127.0.0.1#32844: query: 
> 130.15.227.212.in-addr.arpa IN PTR
> Aug 09 20:05:19.027 client 127.0.0.1#32844: query: 
> 130.15.227.212.in-addr.arpa IN PTR
> Aug 09 20:05:20.038 client 127.0.0.1#32844: query: 
> 130.15.227.212.in-addr.arpa IN PTR
> and so on and so ...
> 
> 
> Can anybody give me a hint?

There's an application on the local machine that's trying to do a 
reverse lookup of 212.227.15.130 every second.  If you want to know why, 
you'll have to investigate what's running on your machine -- it's not a 
BIND issue.

Since it's always coming from the same port, you might try using lsof to 
see what process is bound to that UDP port.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***


More information about the bind-users mailing list