* Michael Watters <wattersmt at gmail.com> [2011-03-25 17:38:27-0400]: > > > Leave tcpdump running on a resolver and wait for the misconfigured > > offender to appear. Use one of the following: > > ---- > > tcpdump -i bond0 -n -p port 53 -s 0 -w /tmp/dump.pcap > > tcpdump -i bond0 -n -p port 53 -s 0 -w - -U | tee /tmp/dump.pcap | tcpdump -r - -n > > ---- > > > > Good hunting :) > > This may be problematic on DNS nodes that are handling thousands of > queries per second. > I doubt it, what matters is the amount of data going through and if your harddisk can keep up with the pace, I doubt you are pushing 30MB/s :) As it's high-throughput I recommend you go with the first command (the second one will chock your computer/terminal). > Is there a way to make unbound log what lookups are causing these > messages? > Patch the source I imagine, you might be able to do something with the python bindings though. Cheers -- Alexander Clouter .sigmonster says: Every time I think I know where it's at, they move it.