3

I installed dnstop to monitor my nameserver running bind9 and was surprised to see it being queried for other domains that I don't host. I am just wondering if this is normal behaviour, or have I configured something incorrectly? Edit: I just had a thought.. is this my local machine querying itself? I am running a webserver on this box too..

Queries: 1 new, 483 total                              Mon Jan 19 22:00:37 2015

Query Name                          Count      %   cum%
------------------------------- --------- ------ ------
omeee.ga                              218   45.1   45.1
canonical.com                          47    9.7   54.9
spamcop.net                            35    7.2   62.1
google.com                             16    3.3   65.4
phocks.org                             14    2.9   68.3
com.tr                                 13    2.7   71.0
spamhaus.org                           11    2.3   73.3
mediacenter.hu                          9    1.9   75.2
jazztel.es                              9    1.9   77.0
hol.gr                                  8    1.7   78.7
rr.com                                  6    1.2   79.9
com.ar                                  5    1.0   81.0
mollom.com                              5    1.0   82.0
amyhendicott.ga                         5    1.0   83.0
yahoo.com                               4    0.8   83.9
googlemail.com                          4    0.8   84.7
sbb.rs                                  3    0.6   85.3
fricktal.info                           3    0.6   85.9
wanadoo.fr                              3    0.6   86.5
co.nz                                   3    0.6   87.2
boydcycles.com                          2    0.4   87.6
alicedsl.de                             2    0.4   88.0
sealion.com                             2    0.4   88.4
tpsa.pl                                 2    0.4   88.8
comunitel.net                           2    0.4   89.2
capecodhurricanes.org                   2    0.4   89.6
buddhistcouncilofqueensland.org         2    0.4   90.1
hostnet.nl                              2    0.4   90.5
onlinehome-server.com                   2    0.4   90.9
193.in-addr.arpa                        2    0.4   91.3
gregpoulgrain.ga                        2    0.4   91.7
phocks
  • 173
  • 6
  • It sounds like you have recursion enabled. If this DNS server is meant to act only as the name server for your domain then you probably want to disable recursion. – joeqwerty Jan 19 '15 at 16:11
  • how did you start `dnstop` (since you need to specify a device file) ? what is in your `resolv.conf` ? are you running a recursive or authoritative nameserver on this box ? – Patrick Mevzek Apr 16 '17 at 18:49
  • Sorry @PatrickMevzek this was a while ago and now my server is shut down. Thanks for reminding me I need to accept the given answer as the correct one though. Cheers have a good day! – phocks Apr 16 '17 at 22:20

1 Answers1

11

If you are running a public accessible DNS server then other clients may be start using you.
Maybe to use you as a public resolver or maybe to abuse your service for an DNS amplification attack.

If you are not running a public server and have 127.0.0.1 setup as your resolver on that server:
It's most likely queries your applications make to resolve external services.
Like sending mail, resolving IPs to host names for log files, etc.

If neither is the case, then you should start sniffing DNS and figure out who sends those queries.

faker
  • 17,496
  • 2
  • 60
  • 70