too much activity
Kevin Darcy
kcd at daimlerchrysler.com
Tue Aug 10 00:33:20 UTC 2004
Markus Plannerer wrote:
>Hello,
>
>we have updated from BIND8 to BIND9 and in the new
>named.conf logging is enabled by:
>logging {
> channel query_logging {
> file "/var/log/named_querylog"
> versions 3 size 100M;
> print-time yes; // timestamp log entries
> };
> category queries {
> query_logging;
> };
> category lame-servers { null; };
>};
>
>Now there is every second a entry in the log like:
>Aug 09 20:05:17.017 client 127.0.0.1#32844: query:
>130.15.227.212.in-addr.arpa IN PTR
>Aug 09 20:05:18.028 client 127.0.0.1#32844: query:
>130.15.227.212.in-addr.arpa IN PTR
>Aug 09 20:05:19.027 client 127.0.0.1#32844: query:
>130.15.227.212.in-addr.arpa IN PTR
>Aug 09 20:05:20.038 client 127.0.0.1#32844: query:
>130.15.227.212.in-addr.arpa IN PTR
>and so on and so ...
>
>
>Can anybody give me a hint?
>
Is this really a logging question, or is it question why you're getting
1 particular query every second? Looks like some long-running process on
your system is constantly doing the same reverse lookup. Is there
anything special about that address? Does the query resolve? If the
query doesn't resolve, then it would appear that this piece of software
knows nothing about negative caching (i.e. caching the fact that a
particular name does not exist). Maybe by making it resolve to something
(even something bogus), you might be able to humor the application and
stop it from querying so often. If you want to actually *stop* the
queries altogether, you might need to start taking down applications
until you find the one that's generating the queries, then determine
what in its config files -- assuming it *has* config files -- is causing
it to do that, and reconfigure it in order to stop the querying. I can't
give you anything more specific than that, since I don't know what
system you're running, what apps are on it, etc.
- Kevin
More information about the bind-users
mailing list