Resolvers performing broadcast requests

[Barry Margolin]

In article <F1AEEB8403A0D211ABBE00805F19A153EC6FE9 at otcmsg69b.carlson.com>,
Moyer, Rob (c) <RMoyer at Carlson.com> wrote:
>There is (or was) a stealth secondary server on our network running bind
>4.9.6 on HP-UX 10.20. I am preparing to shutdown the name server on this box
>but not being sure of how many devices were using it for DNS resolution I
>first turned it into a caching server, updated all the known resolvers that
>were configured with its address then started query logging. I have been
>monitoring the queries for a week now and I noticed a large number of
>queries coming from resolvers that I know do not have this server's address
>in their resolv.conf, I then realized they were all coming from the local
>subnet so I surmise that these queries are broadcasts. 

Perhaps you should use tcpdump to verify this conjecture.

>I looked at the "DNS and Bind" books and did some queries on dejanews but I
>can't find a enough information to help answer the following questions that
>I have.
>
>1) What causes resolvers to send out broadcast queries like this when they
>clearly are configured with nameserver addresses?

They shouldn't, they should send to the ones in the resolver
configuration.

Maybe Microsoft, in their infinite wisdom, decided to send broadcasts if
the configured servers don't respond.  Windows tends to use broadcasts alot.

>2)  I notice that most of the queries to this server are coming from the
>local host itself yet the resolv.conf on this server does not have its own
>address in its resolv.conf so I can't understand why it queries itself so
>often?

Does it have *any* addresses in its resolv.conf?  If not, it defaults to
using the local host.

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.