On Jul 15, 2011, at 12:24 PM, Joshua Beard wrote: > Greetings, > > I've noticed a specific client machine doing a crap load of reverse lookups > in my named logs. It's just reverse lookups for our internal network, and > just from that machine. I can't see that this machine is looking up anything > else, actually. Here's an example: > 11-Jul-2011 08:11:00.997 client 172.30.116.116#53: view dsdk12.schoollocal: > query: 99.115.30.172.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:01.116 client 172.30.116.116#53: view dsdk12.schoollocal: > query: 75.241.40.208.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:01.392 client 172.30.116.116#53: view dsdk12.schoollocal: > query: 1.162.30.172.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:01.393 client 172.30.116.116#53: view dsdk12.schoollocal: > query: 150.160.30.172.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:01.590 client 172.30.116.116#53: view dsdk12.schoollocal: > query: 25.96.30.172.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:01.680 client 172.30.116.116#53: view dsdk12.schoollocal: > query: 2.130.30.172.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:01.940 client 172.30.116.116#53: view dsdk12.schoollocal: > query: 40.207.115.66.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:01.940 client 172.30.116.116#53: view dsdk12.schoollocal: > query: 22.114.30.172.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:02.588 client 172.30.116.116#53: view dsdk12.schoollocal: > query: 55.98.30.172.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:02.785 client 172.30.116.116#53: view dsdk12.schoollocal: > query: 179.112.30.172.in-addr.arpa IN PTR + (172.30.112.121) > 11-Jul-2011 08:11:02.786 client 172.30.116.116#53: view dsdk12.schoollocal: > query: 105.248.250.17.in-addr.arpa IN PTR + (172.30.112.121) > > It appears to be non-stop. Middle of the night and through the day. I don't > have physical access to the machine at this time, so I can't investigate too > much. > > Is this abuse? If so, is it likely intentional?
Given that the client is using a RFC-1918 unrouteable IP, presumably it's local to your network. The data you've shown is less than 10 queries per second; whether this is abusive depends on your policies, but it's not a high query rate. It wouldn't surprise me if a webserver log analysis program like analog/Unison/webalyzer or a virus/malware scanner would generate such traffic. Regards, -- -Chuck _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
