![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
theweaselkingBy which I mean this one: When old non-used server is turned off one specific kind of lookup lags.
I got a sniffer into the network card and found the problem: Every time I click a link on the website, two packets register on the old server from the SQL server: One requesting an RDNS lookup on the IP of the webserver, one response from the old DNS server saying "Uh, fucked if I know, dude. Why are you asking me?"
Now the obvious question: why the FUCK is the SQL SERVER doing RDNS lookups on that, and why the fuck is it doing RDNS lookups to a machine that IS NOT it's DNS server?
I blame awstats. I'm SURE awstats is somehow responsible.
I got a sniffer into the network card and found the problem: Every time I click a link on the website, two packets register on the old server from the SQL server: One requesting an RDNS lookup on the IP of the webserver, one response from the old DNS server saying "Uh, fucked if I know, dude. Why are you asking me?"
Now the obvious question: why the FUCK is the SQL SERVER doing RDNS lookups on that, and why the fuck is it doing RDNS lookups to a machine that IS NOT it's DNS server?
I blame awstats. I'm SURE awstats is somehow responsible.
(no subject)
Date: 2011-04-07 05:27 pm (UTC)Basically you want to do a tcpdump on the sql server at this point to see where it's initial DNS request is going. It's possible whatever it's querying for DNS is responding with a 'nope, that's not me. The SOA is that guy over there'. If that's not actually appearing in that servers config, I recommend doing an rndc flush to clear the dns servers cache.
(no subject)
Date: 2011-04-07 05:33 pm (UTC)As well, it ONLY throws this RDNS lookup when it gets a SQL request from the web server on the DMZ. Other SQL requests, both local to it and from other machines in its subnet, don't get RDNS requests to the old DNS server.
The other thing I found when I ran the dump for longer is a bunch of DNS lookups from the SQL server looking for "localhost.[domain].lan" and "localhost.[domain].lan.[domain].lan".
(Edited to make it clearer that this is literally a request for localhost, not just me obfuscating the server name)
I'm out of that office again and at another client, but I'm definitely planning to sniff up the SQL server's traffic and try to see what the fuck it's smoking.
(no subject)
Date: 2011-04-08 12:11 am (UTC)aka a hack.
perhaps look for a hardcoded ip address? (or something similar, such as the server name/address) - methinks the dns lookups for that host/localhost may be a good place to start?