Hi,

We're using Netware DHCP/DNS on NW6.5SP3. A guy who manages a remote DNS
server we have first in our forwarding list is reporting that we're making a
great number of requests of his server which are basically lookups of ip
addresses.
I ran a debug log on dns for a while and isolated from it many instances of
the following entry:


May 31 11:48:07.000 security: query: debug 3: client 10.51.12.142#4311:
query '10.51.12.138.uk.OURCO/IN' approved
May 31 11:48:09.000 security: query: debug 3: client 10.51.12.142#4316:
query '10.51.12.127.uk.OURCO/IN' approved
May 31 11:48:10.000 security: query: debug 3: client 10.51.33.67#3201: query
'10.51.33.171.UK.OURCO/IN' approved
May 31 11:48:11.000 security: query: debug 3: client 10.51.23.124#3574:
query '10.51.23.152.uk.OURCO/IN' approved
May 31 11:48:15.000 security: query: debug 3: client 10.51.33.67#3206: query
'10.51.33.74.UK.OURCO/IN' approved
May 31 11:48:18.000 security: query: debug 3: client 10.51.31.91#3791: query
'10.51.31.142.UK.OURCO/IN' approved
May 31 11:48:21.000 security: query: debug 3: client 10.51.33.66#2264: query
'10.51.33.136.UK.OURCO/IN' approved


I randomnly selected one of these ip addresses and tried to identify what
was going on:


May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4309: UDP
request
May 31 11:48:07.000 client: client: debug 5: client 10.51.12.142#4309: using
view '_default'
May 31 11:48:07.000 security: client: debug 3: client 10.51.12.142#4309:
request is not signed
May 31 11:48:07.000 security: client: debug 3: client 10.51.12.142#4309:
recursion available: approved
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4309: query
May 31 11:48:07.000 security: query: debug 3: client 10.51.12.142#4309:
query '138.12.51.10.in-addr.arpa/IN' approved
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4309: send
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4309:
sendto
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4309:
senddone
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4309: next
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4309:
endrequest
May 31 11:48:07.000 client: client: debug 3: client @40b547e0: udprecv
May 31 11:48:07.000 client: client: debug 3: client @40b547e0: udprecv
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4310: UDP
request
May 31 11:48:07.000 client: client: debug 5: client 10.51.12.142#4310: using
view '_default'
May 31 11:48:07.000 security: client: debug 3: client 10.51.12.142#4310:
request is not signed
May 31 11:48:07.000 security: client: debug 3: client 10.51.12.142#4310:
recursion available: approved
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4310: query
May 31 11:48:07.000 security: client: debug 3: client 10.51.12.142#4310:
query (cache) approved
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4310:
replace
May 31 11:48:07.000 resolver: dns/resolver: debug 1: createfetch:
10.51.12.138 A
May 31 11:48:07.000 resolver: dns/resolver: debug 3: fctx 427348c0: create
May 31 11:48:07.000 resolver: dns/resolver: debug 3: fctx 427348c0: join
May 31 11:48:07.000 resolver: dns/resolver: debug 3: fetch 40ad5080 (fctx
427348c0): created
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4310: send
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4310:
sendto
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4310:
senddone
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4310: next
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4310:
endrequest
May 31 11:48:07.000 resolver: dns/resolver: debug 3: fctx 427348c0:
doshutdown
May 31 11:48:07.000 resolver: dns/resolver: debug 3: fctx 427348c0:
stopeverything
May 31 11:48:07.000 resolver: dns/resolver: debug 3: fctx 427348c0:
cancelqueries
May 31 11:48:07.000 resolver: dns/resolver: debug 3: fctx 427348c0: destroy
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4311: UDP
request
May 31 11:48:07.000 client: client: debug 5: client 10.51.12.142#4311: using
view '_default'
May 31 11:48:07.000 security: client: debug 3: client 10.51.12.142#4311:
request is not signed
May 31 11:48:07.000 security: client: debug 3: client 10.51.12.142#4311:
recursion available: approved
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4311: query
May 31 11:48:07.000 security: query: debug 3: client 10.51.12.142#4311:
query '10.51.12.138.uk.ourco/IN' approved
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4311: send
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4311:
sendto
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4311:
senddone
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4311: next
May 31 11:48:07.000 client: client: debug 3: client 10.51.12.142#4311:
endrequest
May 31 11:48:07.000 client: client: debug 3: client @4060c540: udprecv


Both these ip addresses are workstations on the same subnet. Is it really
trying to resolve ip addresses as if they're hostnames, or is this normal
reverse lookup behaviour?

Thanks,




Steve Law