It's likely that the queries are originating on RS2; what you're filtering is the responses from RS1. Possible causes: 1. RS1 is authoritative for some domain that RS2 is not. 2. The resolver on RS2 is configured to use RS1 as his nameserver. (Note that the resolver is generally totally oblivious of the fact that you're running bind on the same system.) 3. A user or process on RS2 is occasionally doing something like nslookup or dig, pointing at RS1 for the server. Tony Rall **************************************************************** From: "Jesse Whyte" <jwhyte@mail.state.tn.us> To: nanog@merit.edu, sun-managers@sunmanagers.ececs.uc.edu Subject: Odd UDP traffic between secondary servers The environment is fairly typical...one primary DNS server and three secondary servers. One of the secondary servers is on the same subnet as the primary DNS server and the other two are distributed across the Wide Area Network. Of these two remote secondary servers, I see traffic like the following every day in my access-list violations, where ROUTER-WITH-ACL is the router protecting the REMOTE-SECONDARY-2... Oct 11 01:17:07 ROUTER-WITH-ACL 113128: 1w3d: %SEC-6-IPACCESSLOGP: list 114 denied udp REMOTE-SECONDARY-1(53) -> REMOTE-SECONDARY-2(36070), 1 packet Oct 11 01:18:37 ROUTER-WITH-ACL 113139: 1w3d: %SEC-6-IPACCESSLOGP: list 114 denied udp REMOTE-SECONDARY-1(53) -> REMOTE-SECONDARY-2(36075), 1 packet Oct 11 01:18:42 ROUTER-WITH-ACL 113140: 1w3d: %SEC-6-IPACCESSLOGP: list 114 denied udp REMOTE-SECONDARY-1(53) -> REMOTE-SECONDARY-2(36076), 1 packet Oct 11 01:18:47 ROUTER-WITH-ACL 113141: 1w3d: %SEC-6-IPACCESSLOGP: list 114 denied udp REMOTE-SECONDARY-1(53) -> REMOTE-SECONDARY-2(36077), 1 packet ... Oct 11 03:05:42 ROUTER-WITH-ACL 113623: 1w3d: %SEC-6-IPACCESSLOGP: list 114 denied udp REMOTE-SECONDARY-1(53) -> REMOTE-SECONDARY-2(36120), 1 packet Oct 11 03:05:47 ROUTER-WITH-ACL 113624: 1w3d: %SEC-6-IPACCESSLOGP: list 114 denied udp REMOTE-SECONDARY-1(53) -> REMOTE-SECONDARY-2(36121), 1 packet Oct 11 03:05:57 ROUTER-WITH-ACL 113625: 1w3d: %SEC-6-IPACCESSLOGP: list 114 denied udp REMOTE-SECONDARY-1(53) -> REMOTE-SECONDARY-2(36122), 1 packet As you can see, the destination port increments by one on each attempt and this entire process occurs over the period of several hours. This traffic is entirely unidirectional...I do not see any similar traffic on the access list protecting REMOTE-SECONDARY-1. What is the nature of this traffic and should I be concerned? It is obviousely not a zone transfer, and there is no forwarders directive in either config file, so I'm at a loss.