# Way too many DNS lookups



## darthnul (Sep 23, 2019)

I'm looking for suggestions about how to identify a process that is doing a reverse lookup of the same IPv4 address between 200 and 1000+ times per second.  The DNS server is able to resolve the address, but the queries keep coming.  The server is running FreeBSD 11.2p13 serving (internal) DNS and DHCP and a few smaller services.   DNS query logging is enabled and all the queries show the client to be 127.0.0.1.  When I comment out 127.0.0.1 in resolv.conf, the queries end up going to my other DNS server which logs the source as the IP address of the problem server.

I'm not sure how long this has been going on.  Top says the CPU load is not elevated due to this, but those query logs are a LOT bigger than they should be and this box has limited disk space.  There are no end-users on the machine.  DNS is ISC BIND  9.11.11 (Extended Support Version).  DHCP is isc-dhcpd-4.4.1.  No IPv6 is enabled anywhere on the box.


----------



## Martin Paredes (Sep 23, 2019)

Try with `sockstat -4 -p 53`, it will show the PID

Then run `ps axw | grep PID`


----------



## darthnul (Sep 23, 2019)

I found it: syslogd is apparently looking up the IP address of the remote sender of every single syslog message.


----------



## obsigna (Sep 24, 2019)

darthnul said:


> I found it: syslogd is apparently looking up the IP address of the remote sender of every single syslog message.


For this reason, I got in my /etc/rc.conf:

```
syslogd_flags="-ss"
```

See the description of the -s option in syslogd(8). In case you need remote logging, the -n option might be useful as well.


----------

