too much activity

[Kevin Darcy]

Markus Plannerer wrote:

>Hello,
>
>we have updated from BIND8 to BIND9 and in the new
>named.conf logging is enabled by:
>logging {
>	channel query_logging {
>		file "/var/log/named_querylog"
>			versions 3 size 100M;
>		print-time yes;			// timestamp log entries
>	};
>	category queries {
>		query_logging;
>	};
>	category lame-servers { null; };
>};
>
>Now there is every second a entry in the log like:
>Aug 09 20:05:17.017 client 127.0.0.1#32844: query: 
>130.15.227.212.in-addr.arpa IN PTR
>Aug 09 20:05:18.028 client 127.0.0.1#32844: query: 
>130.15.227.212.in-addr.arpa IN PTR
>Aug 09 20:05:19.027 client 127.0.0.1#32844: query: 
>130.15.227.212.in-addr.arpa IN PTR
>Aug 09 20:05:20.038 client 127.0.0.1#32844: query: 
>130.15.227.212.in-addr.arpa IN PTR
>and so on and so ...
>
>
>Can anybody give me a hint?
>
Is this really a logging question, or is it question why you're getting 
1 particular query every second? Looks like some long-running process on 
your system is constantly doing the same reverse lookup. Is there 
anything special about that address? Does the query resolve? If the 
query doesn't resolve, then it would appear that this piece of software 
knows nothing about negative caching (i.e. caching the fact that a 
particular name does not exist). Maybe by making it resolve to something 
(even something bogus), you might be able to humor the application and 
stop it from querying so often. If you want to actually *stop* the 
queries altogether, you might need to start taking down applications 
until you find the one that's generating the queries, then determine 
what in its config files -- assuming it *has* config files -- is causing 
it to do that, and reconfigure it in order to stop the querying. I can't 
give you anything more specific than that, since I don't know what 
system you're running, what apps are on it, etc.

- Kevin