# thousands of connections to DNS



## sugar (May 16, 2010)

Hi, I have configured my FreeBSD as a Syslog Server, so it keeps the log of the company firewall; well, after a suddenly massive growth of /var/log/firewall.log I watched thousands of an abnormal FreeBSD box behaving: It is opening many connections to DNS server per second all the day, all the days; here a sample of the kind of line that is creating more than 22GB per day of log file:

```
May 16 10:55:20 192.168.8.168 id=firewall sn=0017C52805FF time="2010-05-16 11:02:20" fw=[MY FIREWALL IP]
   pri=6 c=262144 m=98 msg="Connection Opened" n=0 src=[FreeBSD Box IP]:64871:X0 dst=4.2.2.2:53:X1 proto=udp/dns
```

(I replaced my ISP DNS for the Level 3 DNS 4.2.2.2 in this thread)


This is the netstat output of the FreeBSD box:

```
$ sudo netstat -a | grep 4.2.2.2
udp4       0      0 freebsd.65402          4.2.2.2.domain
```

I am pretty sure is not normal that a FreeBSD box create more than 22GB of logs by pure opening connections to DNS... 

I can't figure it our why, 

Any help or advice will be appreciated
Thanks in advance!


----------



## DutchDaemon (May 16, 2010)

This has been answered before. Instruct your syslog server not to perform reverse DNS lookups on every syslog packet that arrives. Most likely, the resulting connections get logged as well, leading to even more DNS lookups, which get logged, leading to .... see where this is going?

Edit: when I said 'answered before', I should have said: elsewhere  -> http://www.daemonforums.org/showthread.php?p=25160


----------



## sugar (May 16, 2010)

Thanks a lot, I will read that thread !


----------



## DutchDaemon (May 16, 2010)

Good. It may not be exactly the same problem, but it is almost certainly some type of loop feeding on itself and spinning out of control. Replacing DNS lookups with local entries in /etc/hosts will probably prove successful.


----------

