Excessive Reverse DNS lookups

alexd

anahata wrote:

> I've noticed, though, that there is still a high volume of DNS requests
> being sent out, much more than the rate of incoming spam mails, but they
> don't look like requests for anything workstation users are asking for.
> For one thing, many of them result in NXDOMAIN, and for another, they
> are being sent out from the server without any corresponding request
> coming into the server.

Do you know what domains they're for? 'tcpdump -i ethN udp port 53' will
tell you. Stuff like RDNS for RFC1918 addresses should be easy enough to
fix.

> I've not got a web proxy running, which might otherwise have accounted
> for it. The main services are exim4, apache, samba and pop3.

Doesn't dnsmasq have some logging options you could turn up 11?

--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
12:49:32 up 11 days, 14:37, 2 users, load average: 0.04, 0.03, 0.05
09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c0

anahata

alexd wrote:
>
> Do you know what domains they're for? 'tcpdump -i ethN udp port 53' will
> tell you. Stuff like RDNS for RFC1918 addresses should be easy enough to
> fix.

Both tcpdump and dnsmasq tell me what domains are being looked up, but
many don't look pertinent to normal traffic. Many of them are reverse
lookups that fail, which I'd expect from checking the sender domain on
spam, but they happen with obviously greater frequency than incoming
spam attempts.

> Doesn't dnsmasq have some logging options you could turn up 11?

Logging is either on or off, and shows incoming requests, and traffic to
and from upstream servers. What it doesn't tell me is which process is
sending it requests from 127.0.0.1, in fact I'm not sure if localhost
requests are logged at all.

--
Anahata
anahata@treewind.co.uk -+- http://www.treewind.co.uk
Home: 01638 720444 Mob: 07976 263827