While reviewing the DNS logfiles on one of my name servers, I noticed that one of my Solaris hosts was querying getupdates.sun.com once per hour:
Sep 30 02:28:05 dns named: [ID 866145 local0.info] client 220.127.116.11#47644: view internal: query: getupdates.sun.com IN A + Sep 30 03:27:35 dns named: [ID 866145 local0.info] client 18.104.22.168#47738: view internal: query: getupdates.sun.com IN A + Sep 30 04:27:05 dns named: [ID 866145 local0.info] client 22.214.171.124#47841: view internal: query: getupdates.sun.com IN A + [ ..... ]
Since I had recently applied the latest connection manager patches to the server, I started to wonder if Sun had installed a cron job (or started a daemon) to periodically poll the server that hosted getupdates.sun.com. To see what process was querying getupdates.sun.com, I first reviewed the cron jobs on the system, and then I perused the list of daemons that were running. Everything checked out fine, so I fired up DTrace to see which process was actually responsible for the DNS requests. It turns out these DNS queries were coming from the nscd daemon. After reading through the nscd.conf manual page, I came across a description of the “keep-hot-count” attribute:
“This attribute allows the administrator to set the number of entries nscd(1M) is to keep current in the specified cache. value is an integer number which should approximate the number of entries frequently used during the day.”
A quick peak at /etc/nscd.conf revealed that the value of keep-hot-count is set to 20 by default:
$ egrep “keep-hot.*host” /etc/nscd.conf
keep-hot-count hosts 20
It turns out nscd was refreshing the name service information entry for this host once per hour. To disable this behavior, I set the value of keep-hot-count to 0, and the DNS queries for getupdates.sun.com ceased. Numerous admins kill nscd on systems that don’t handle lots of login sessions, and I reckon I will need to investigate this option.