[Bruco]

Hello, all.

I have a FreeBSD box sitting at one of my company's locations. It doesn't do much:

It runs a script ever 10 minutes that pings some IPs (not hostnames).

It runs arpwatch (which doesn't see much action, there are rarely new devices plugged into the network).

It runs syslogd and captures syslog output from a Cisco ASA.

The box has a static IP, so I've defined a DNS server (at another site) in /etc/resolv.conf.

The problem I'm having is that when I look at my syslogs from the Cisco ASA, I see that the FreeBSD box is generating thousands and thousands of UDP connections to port 53 on the DNS server. And I do mean thousands.

Now, these are obviously DNS requests of some kind. It's port 53 on a DNS server after all. And if I comment out the DNS server IP in /etc/resolv.conf, the traffic stops.

If I run tcpdump while it's going on I can see the packets. Every other one says something about NXDomain - which if I'm not mistaken has something to do with an invalid domain. So, thousands of invalid domain errors, perhaps?

I won't pretend to be able to fully decipher the output from tcpdump, but if I could at least nail down what it is that's CAUSING the traffic I might start to understand where it's coming from and why!

So, two questions. First, does anyone know what might be causing this traffic? And second, is there a way I can actually determine what process is generating the traffic?

Thanks.