Acknowledged, & agreed
I deleted the original post because I thought my question was badly expressed. I wanted to do more research before reposting properly.
When I started this reply, I was none the wiser. But a lightbulb just went on over my head, and I realised what was happening. An explanation follows for your amusement.
For anyone interested, the original question related to the logging of DNS lookups in the dead of night from a FC2 installation running BIND 9.2.3. I forget why now, but I had reason to switch on query logging for named, and I noticed that batches of reverse lookups were being logged against the local interface:
Code:
Aug 28 16:01:01 kermit named[20621]: Aug 28 16:01:01.176 queries: client 127.0.0.1#33262: query: 189.116.129.160
.in-addr.arpa IN PTR
Aug 28 16:01:02 kermit named[20621]: Aug 28 16:01:02.447 queries: client 127.0.0.1#33262: query: 6.128.81.211.in
-addr.arpa IN PTR
Aug 28 16:01:11 kermit named[20621]: Aug 28 16:01:11.807 queries: client 127.0.0.1#33264: query: 6.128.81.211.in
-addr.arpa IN PTR
Aug 28 16:01:21 kermit named[20621]: Aug 28 16:01:21.081 queries: client 127.0.0.1#33264: query: 124.168.229.165
.in-addr.arpa IN PTR
Aug 28 16:01:24 kermit named[20621]: Aug 28 16:01:24.052 queries: client 127.0.0.1#33264: query: 29.254.39.61.in
-addr.arpa IN PTR
This seemed a bit spooky, as I couldn't think what could be doing the lookups.
Well this afternoon at last I
could think, and I remembered that I have an hourly cron job called "fwlogwatch". Boy, I am dumb sometimes. Maybe I knew it subliminally, and that's what made my hand delete the post.
OK, you can all throw rotten tomatoes at me now.
Seriously, thanks to unSpawn for nudging me.