Reverse lookup flood from a single host

Joshua Beard josh at hewbert.com
Fri Jul 15 19:24:29 UTC 2011 

Greetings,

I've noticed a specific client machine doing a crap load of reverse lookups in my named logs.  It's just reverse lookups for our internal network, and just from that machine.  I can't see that this machine is looking up anything else, actually.  Here's an example:
11-Jul-2011 08:11:00.997 client 172.30.116.116#53: view dsdk12.schoollocal: query: 99.115.30.172.in-addr.arpa IN PTR + (172.30.112.121)
11-Jul-2011 08:11:01.116 client 172.30.116.116#53: view dsdk12.schoollocal: query: 75.241.40.208.in-addr.arpa IN PTR + (172.30.112.121)
11-Jul-2011 08:11:01.392 client 172.30.116.116#53: view dsdk12.schoollocal: query: 1.162.30.172.in-addr.arpa IN PTR + (172.30.112.121)
11-Jul-2011 08:11:01.393 client 172.30.116.116#53: view dsdk12.schoollocal: query: 150.160.30.172.in-addr.arpa IN PTR + (172.30.112.121)
11-Jul-2011 08:11:01.590 client 172.30.116.116#53: view dsdk12.schoollocal: query: 25.96.30.172.in-addr.arpa IN PTR + (172.30.112.121)
11-Jul-2011 08:11:01.680 client 172.30.116.116#53: view dsdk12.schoollocal: query: 2.130.30.172.in-addr.arpa IN PTR + (172.30.112.121)
11-Jul-2011 08:11:01.940 client 172.30.116.116#53: view dsdk12.schoollocal: query: 40.207.115.66.in-addr.arpa IN PTR + (172.30.112.121)
11-Jul-2011 08:11:01.940 client 172.30.116.116#53: view dsdk12.schoollocal: query: 22.114.30.172.in-addr.arpa IN PTR + (172.30.112.121)
11-Jul-2011 08:11:02.588 client 172.30.116.116#53: view dsdk12.schoollocal: query: 55.98.30.172.in-addr.arpa IN PTR + (172.30.112.121)
11-Jul-2011 08:11:02.785 client 172.30.116.116#53: view dsdk12.schoollocal: query: 179.112.30.172.in-addr.arpa IN PTR + (172.30.112.121)
11-Jul-2011 08:11:02.786 client 172.30.116.116#53: view dsdk12.schoollocal: query: 105.248.250.17.in-addr.arpa IN PTR + (172.30.112.121)

It appears to be non-stop.  Middle of the night and through the day.  I don't have physical access to the machine at this time, so I can't investigate too much.

Is this abuse?  If so, is it likely intentional?

Thanks in advance,
Josh

More information about the bind-users mailing list