repeated 16 hour interval spike in authoritative PTR lookups
Barry Margolin
barmar at alum.mit.edu
Wed Jan 9 21:01:54 UTC 2019
In article <mailman.3.1547066042.711.bind-users at lists.isc.org>,
jm9386 <jm9386 at att.com> wrote:
> also the vast majority - over 95% of the queries we are seeing are coming
> from open resolvers on the Internet - distributed all over the world. It
> seems awfully suspicious for resolvers all over the world to decide to query
> PTR records for our ISP related in-addr.arpa space every 16 hours.
Maybe too obvious, but is 16 hours the TTL of your PTR records?
Although even if it is, I'm not sure what would cause all these servers
to sync up to the same 16-hour cycle. Maybe at some point you reduced
the TTL (because you were reconfiguring things), then when you bumped it
back up they all timed out the old records at about the same time, and
ever since they've been refreshing at the same times.
--
Barry Margolin
Arlington, MA
More information about the bind-users
mailing list