Massive DNS request from Graylog-Server process


(Klaus Tachtler) #1

Hi,

I’m new to Graylog and have a problem with many DNS requests caused by the Graylog server (java) process on my internal DNS resolver.

It’s several hundred a minute, always the same subsequent DNS request:

Sep 4 14:19:40 dnsserver unbound:[5711:0] info: 10.7.0.110 20.0.7.10.in-addr.arpa. PTR IN
Sep 4 14:19:40 dnsserver unbound:[5711:0] info: 10.7.0.110 20.0.7.10.in-addr.arpa. PTR IN NXDOMAIN 0.000000 1 99

How can I find out why these DNS requests are being made?
What have I done wrong?

Many thanks in advance
Klaus.


(Klaus Tachtler) #2

Hi,

I found the solution by myself, sorry for that:

Problem was, that rsyslog was sent all messages (including the logged DNS requests) to the Graylog-server. And the Graylog-Server try to check the IP against the DNS and so on.

I solved it, by exclude the named (ISC bind) and unbound log entrys. Since they will not be sent to the Graylog-Server, everything was as expected:

Here my /etc/rsyslog.conf:

# Log named messages
:programname, isequal, "named"                          /var/log/named.log
# Log unbound messages
:programname, isequal, "unbound"                        /var/log/unbound.log
# Don't log named messages!
# Don't log unbound messages!
:programname, isequal, "named" stop
:programname, isequal, "unbound" stop
*.*                                                     @@10.7.0.110:514;RSYSLOG_SyslogProtocol23Format

Sorry,
Klaus.


(Jan Doberstein) #3

the other solution would have been to disable the DNS lookup for the source at the syslog input.


(Klaus Tachtler) #4

Hi Jan,

thank you for your answer.

How can I do that?

Web-Interface | Graylog-Inputs | Input | More actions | Edit -->

Force rDNS?(optional)

DISABLE --> :ballot_box_with_check:
Force rDNS resolution of hostname? Use if hostname cannot be parsed. (Be careful if you are sending DNS logs into this input because it can cause a feedback loop.)

Thank you!
Klaus.


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.