Can anyone comment on what "broctl cron" is actually doing?
My DNS admin reported to me that, at 5-minute intervals, my six bro hosts (1x manager+proxy, 5 workers) are spewing DNS queries in the thousands,
all forward and reverse lookups of themselves and each other (sample appended). It *seems* to be correlated in time with the running of "broctl cron".
Thanks for any info,
broctl cron primarily checks up on the workers via ssh.
Are you using a bro version earlier than 2.4 ? 2.4 will make one connection per worker box, before that it made one connection for each worker process.
What you are seeing looks like bro < 2.4 plus ssh having UseDns or VerifyReverseMapping enabled.
It's also interesting that bro01 is not one of the names in the output, and bro05 appears 5% as often as 2,3,4 are.
In general you should be running a local caching resolver (unbound,dnsmasq,etc). Things run better across the board when you are caching dns responses locally and not going out to the network for every lookup.
At the recommendation of my sysadmins, I installed a caching nameserver directly on my manager host - problem solved (for that host).
I haven't decided yet whether the workers should use the nameserver on the manager, or each one should run his own, but I think that'll fix things.