I installed dnstop to monitor my nameserver running bind9 and was surprised to see it being queried for other domains that I don't host. I am just wondering if this is normal behaviour, or have I configured something incorrectly? Edit: I just had a thought.. is this my local machine querying itself? I am running a webserver on this box too..
Queries: 1 new, 483 total Mon Jan 19 22:00:37 2015
Query Name Count % cum%
------------------------------- --------- ------ ------
omeee.ga 218 45.1 45.1
canonical.com 47 9.7 54.9
spamcop.net 35 7.2 62.1
google.com 16 3.3 65.4
phocks.org 14 2.9 68.3
com.tr 13 2.7 71.0
spamhaus.org 11 2.3 73.3
mediacenter.hu 9 1.9 75.2
jazztel.es 9 1.9 77.0
hol.gr 8 1.7 78.7
rr.com 6 1.2 79.9
com.ar 5 1.0 81.0
mollom.com 5 1.0 82.0
amyhendicott.ga 5 1.0 83.0
yahoo.com 4 0.8 83.9
googlemail.com 4 0.8 84.7
sbb.rs 3 0.6 85.3
fricktal.info 3 0.6 85.9
wanadoo.fr 3 0.6 86.5
co.nz 3 0.6 87.2
boydcycles.com 2 0.4 87.6
alicedsl.de 2 0.4 88.0
sealion.com 2 0.4 88.4
tpsa.pl 2 0.4 88.8
comunitel.net 2 0.4 89.2
capecodhurricanes.org 2 0.4 89.6
buddhistcouncilofqueensland.org 2 0.4 90.1
hostnet.nl 2 0.4 90.5
onlinehome-server.com 2 0.4 90.9
193.in-addr.arpa 2 0.4 91.3
gregpoulgrain.ga 2 0.4 91.7
If you are running a public accessible DNS server then other clients may be start using you.
Maybe to use you as a public resolver or maybe to abuse your service for an DNS amplification attack.
If you are not running a public server and have
127.0.0.1setup as your resolver on that server:It's most likely queries your applications make to resolve external services.
Like sending mail, resolving IPs to host names for log files, etc.
If neither is the case, then you should start sniffing DNS and figure out who sends those queries.