OK, the guy who normally takes care of this sort of thing is out of vacation so I've been asked to look at it. Unfortunately I'm a linux newb and need direction. We were recently alerted to the fact that our DNS server did a reverse lookup on an IP address owned by UKrTelegroup (85.255.112.58). As some of you know already this is a well known company hosting fake DNS servers for DNS poisoning and such. So what I need to do is search the logs for this address and try to find out what initiated this lookup. I know how to use grep and believe the log file I need to look at is in /var/log. I am under the impression that the file I'm looking for is messages, is that correct? I've dug around through /var/log and couldn't find anything using grep -i 82.255.112.58 /var/log/*. Can anyone point me in the right direction?

IF it isn't in /var/log, take a look in /etc/named.conf under the logging section, to find where bind saves its logs.
Mind that if you're running named chrooted, the path to the logfile is relative to the chroot directory.
To find the chroot directory The chroot path is the atgument of the -t option