No subject

> the BIND ARM:
> 
> """""""""""""
> Specify where queries should be logged to.
> 
> At startup, specifing the category queries will also enable query 
logging 
> unless querylog option has been specified. 
> 
> The query log entry reports the client's IP address and port number. The 

> query name, class and type. It also reports whether the Recursion 
Desired 
> flag was set (+ if set, - if not set), EDNS was in use (E) or if the 
query 
> was signed (S).
> 
> client 127.0.0.1#62536: query: www.example.com IN AAAA +SE
> client ::1#62537: query: www.example.net IN AAAA -SE
> """""""""""""""
> 
> Notice the "+" or "-" sign.

And if you are interested, here is a perl snippet with a regex that will 
catch a recursive query for an IPV4 address.  The IP address of the 
offending host will be available in the read-only variable $4 after a 
successful match.

open QLOG, "query.log";
while (<QLOG>) {
# skip blanks and comments (should not be any though)
next if /^\s*#/;
# clean up trailing new lines
chomp;
# check to see if we have a recursive query
if (/(^\s*)(client)(\s+)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(.*)(\+)(.*)/) 
{
        print "$4 performed a recursive query.  Contact the admin and 
notify them of the new servers to be used.\n";
}
}


hth,


Dave...





[clip...]