From owner-freebsd-security@FreeBSD.ORG Sat Apr 16 09:15:46 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9AEF3106564A for ; Sat, 16 Apr 2011 09:15:46 +0000 (UTC) (envelope-from michael.scheidell@secnap.com) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [204.89.241.253]) by mx1.freebsd.org (Postfix) with ESMTP id 62B2C8FC08 for ; Sat, 16 Apr 2011 09:15:46 +0000 (UTC) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [10.70.1.253]) by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id 48E692B7C6B; Sat, 16 Apr 2011 04:54:11 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secnap.com; h= content-type:content-type:subject:subject:mime-version :user-agent:from:from:date:date:message-id; s=dkim; t= 1302944050; x=1304758450; bh=chovtzcPMxLJoSM9/TZeJn94mN5+tpJXS81 bIkOLMEw=; b=jhnLAnIdoGjz672K7iYHDsR5BGsYAK8YoU8sD+4EtFv/Rxg9zx9 75Vj9c2QNDemcOrp8tG6skkjb/Ze0UkV/J6XhF9/a60jkXBYGsfvmR29sztcY/M1 5BDW7Ym7D5ItuM7duoLg06Uv1W2zh83dZM6ENcvQcivCykmNJIya6ezE= X-Amavis-Modified: Mail body modified (using disclaimer) - mx1.secnap.com.ionspam.net X-Virus-Scanned: SpammerTrap(r) VPS-1500 2.14 at mx1.secnap.com.ionspam.net Received: from USBCTDC001.secnap.com (usbctdc001.secnap.com [10.70.1.1]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.secnap.com.ionspam.net (Postfix) with ESMTPS id 08CA42B7C64; Sat, 16 Apr 2011 04:54:10 -0400 (EDT) Received: from Macintosh.local (10.80.0.4) by USBCTDC001.secnap.com (10.70.1.1) with Microsoft SMTP Server (TLS) id 14.0.722.0; Sat, 16 Apr 2011 04:54:08 -0400 Message-ID: <4DA95938.7050608@secnap.com> Date: Sat, 16 Apr 2011 04:54:16 -0400 From: Michael Scheidell User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: , Emerging Threats Signatures Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: 193.138.118.3 ? lagoon.freebsd.lublin.pl /cache, freebsd, lublin, pl on TOR end point list? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Apr 2011 09:15:46 -0000 We keep getting security alerts that lagoon.freebsd.lublin.pl (the authoritative dns server for freebsd.lublin,pl) is on the 'TOR' end point node list. We get this alert when our DNS server looks up the ip for cache.freebsd.lublin.pl This concerns me if freebsd is using a mirror that has possible ties to hacker or other nefarious network related activity. Can anyone tell me if: A) this might be a FP? that lagoon.freebsd.lublin.pl is NOT associated with this type of activity? B) if so, should the small chance that they are involved in this prohibit them from being on any RR link for ports source code lookups? C) am I too paranoid? its 5am localtime, go back to bed? -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 >*| *SECNAP Network Security Corporation * Best Intrusion Prevention Product, Networks Product Guide * Certified SNORT Integrator * Hot Company Award, World Executive Alliance * Best in Email Security, 2010 Network Products Guide * King of Spam Filters, SC Magazine ______________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ ______________________________________________________________________ From owner-freebsd-security@FreeBSD.ORG Sat Apr 16 09:28:25 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3FDBE1065670 for ; Sat, 16 Apr 2011 09:28:25 +0000 (UTC) (envelope-from przemyslaw@frasunek.com) Received: from lagoon.freebsd.lublin.pl (lagoon.freebsd.lublin.pl [IPv6:2a02:2928:a::3]) by mx1.freebsd.org (Postfix) with ESMTP id BF8B08FC15 for ; Sat, 16 Apr 2011 09:28:24 +0000 (UTC) Received: from [IPv6:2a02:2928:a:ffff:70a6:6b28:ff4e:bb7b] (unknown [IPv6:2a02:2928:a:ffff:70a6:6b28:ff4e:bb7b]) by lagoon.freebsd.lublin.pl (Postfix) with ESMTPSA id BBA0E239455; Sat, 16 Apr 2011 11:28:23 +0200 (CEST) Message-ID: <4DA96137.5050100@frasunek.com> Date: Sat, 16 Apr 2011 11:28:23 +0200 From: Przemyslaw Frasunek Organization: frasunek.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: Michael Scheidell References: <4DA95938.7050608@secnap.com> In-Reply-To: <4DA95938.7050608@secnap.com> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Emerging Threats Signatures Subject: Re: 193.138.118.3 ? lagoon.freebsd.lublin.pl /cache, freebsd, lublin, pl on TOR end point list? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Apr 2011 09:28:25 -0000 > This concerns me if freebsd is using a mirror that has possible ties to hacker > or other nefarious network related activity. Well, this is my network and my box, so I will try to clarify all issues. > A) this might be a FP? that lagoon.freebsd.lublin.pl is NOT associated with > this type of activity? freebsd.lublin.pl does not host any FreeBSD mirrors. It's a shell server with ~300-400 accounts, running for 14 years. I personally know (almost) every person having account here. We have TOR installed (without exit node functionality), but it's not used for any kind of illegal activities. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE * * Jabber ID: venglin@nette.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV * From owner-freebsd-security@FreeBSD.ORG Sat Apr 16 09:31:24 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C60AD1065670 for ; Sat, 16 Apr 2011 09:31:24 +0000 (UTC) (envelope-from michael.scheidell@secnap.com) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [204.89.241.253]) by mx1.freebsd.org (Postfix) with ESMTP id 8ADD78FC08 for ; Sat, 16 Apr 2011 09:31:24 +0000 (UTC) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [10.70.1.253]) by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id 011212B7C6A; Sat, 16 Apr 2011 05:31:23 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secnap.com; h= content-type:content-type:in-reply-to:references:subject:subject :mime-version:user-agent:from:from:date:date:message-id; s=dkim; t=1302946282; x=1304760682; bh=jop9u9EXEUhx3UYzBNUQ5yEyCqRSTBZt hz+oKqq/KwI=; b=GPjflDLqz+8ZJBkxRg5Cky7mVu5cX3KuBbr/elWfongmVmvu KpCMqL5c9SfydrL8c2I2gBeKXoyFR2mQY8oa42SDpDEte7upQ82EQjXzu/1N5yTx zLgfyKH8ry1ofXiVrKwbQWSGGgUw4jGOiLEWIb2L+6B/e2A846A2hCpGmeY= X-Amavis-Modified: Mail body modified (using disclaimer) - mx1.secnap.com.ionspam.net X-Virus-Scanned: SpammerTrap(r) VPS-1500 2.14 at mx1.secnap.com.ionspam.net Received: from USBCTDC001.secnap.com (usbctdc001.secnap.com [10.70.1.1]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.secnap.com.ionspam.net (Postfix) with ESMTPS id DEDFE2B7C64; Sat, 16 Apr 2011 05:31:22 -0400 (EDT) Received: from Macintosh.local (166.248.64.9) by USBCTDC001.secnap.com (10.70.1.1) with Microsoft SMTP Server (TLS) id 14.0.722.0; Sat, 16 Apr 2011 05:31:22 -0400 Message-ID: <4DA961F1.1040100@secnap.com> Date: Sat, 16 Apr 2011 05:31:29 -0400 From: Michael Scheidell User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: Przemyslaw Frasunek References: <4DA95938.7050608@secnap.com> <4DA96137.5050100@frasunek.com> In-Reply-To: <4DA96137.5050100@frasunek.com> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org, Emerging Threats Signatures Subject: Re: 193.138.118.3 ? lagoon.freebsd.lublin.pl /cache, freebsd, lublin, pl on TOR end point list? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Apr 2011 09:31:24 -0000 On 4/16/11 5:28 AM, Przemyslaw Frasunek wrote: > > freebsd.lublin.pl does not host any FreeBSD mirrors. It's a shell server with > ~300-400 accounts, running for 14 years. I personally know (almost) every person > having account here. We have TOR installed (without exit node functionality), > but it's not used for any kind of illegal activities. > so, option C: being too paranoid and I should get more rest :-) I will try to track down what server is lookup up cache.freebsd.lublin.pl and see why its doing that. thanks. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 >*| *SECNAP Network Security Corporation * Best Intrusion Prevention Product, Networks Product Guide * Certified SNORT Integrator * Hot Company Award, World Executive Alliance * Best in Email Security, 2010 Network Products Guide * King of Spam Filters, SC Magazine ______________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ ______________________________________________________________________ From owner-freebsd-security@FreeBSD.ORG Sat Apr 16 09:40:43 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21B1F106566B for ; Sat, 16 Apr 2011 09:40:43 +0000 (UTC) (envelope-from michael.scheidell@secnap.com) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [204.89.241.253]) by mx1.freebsd.org (Postfix) with ESMTP id D3C918FC08 for ; Sat, 16 Apr 2011 09:40:42 +0000 (UTC) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [10.70.1.253]) by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id 4E7B22B7C64 for ; Sat, 16 Apr 2011 05:40:42 -0400 (EDT) Resent-From: "Content-filter at mx1.secnap.com.ionspam.net" Resent-To: Resent-Date: Sat, 16 Apr 2011 05:40:42 -0400 (EDT) Resent-Message-ID: Received: from unknown by mx1.secnap.com.ionspam.net (SpammerTrap(r) VPS-1500, unix socket) id xt3u8im647Re for ; Sat, 16 Apr 2011 05:40:42 -0400 (EDT) Received: from mx1.secnap.com.ionspam.net ([10.70.1.253]) by mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [10.70.1.253]) (SpammerTrap(r) VPS-1500, port 10024) with LMTP id xt3u8im647Re for ; Sat, 16 Apr 2011 05:34:56 -0400 (EDT) Received: from USBCTDC001.secnap.com (usbctdc001.secnap.com [10.70.1.1]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.secnap.com.ionspam.net (Postfix) with ESMTPS id D54D22B7C64 for ; Sat, 16 Apr 2011 05:34:56 -0400 (EDT) Received: from Macintosh.local (166.248.64.9) by USBCTDC001.secnap.com (10.70.1.1) with Microsoft SMTP Server (TLS) id 14.0.722.0; Sat, 16 Apr 2011 05:34:55 -0400 Message-ID: <4DA962C8.3020808@secnap.com> Date: Sat, 16 Apr 2011 05:35:04 -0400 From: Michael Scheidell User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: Content-Type: text/plain; charset="KOI8-R"; format=flowed Content-Transfer-Encoding: 8bit Subject: Fwd: =?koi8-r?b?7sUg1cTBxdTT0SDEz9PUwdfJ1Ng6IFJlOiAxOTMuMTM4LjEx?= =?koi8-r?b?OC4zID8gbGFnb29uLmZyZWVic2QubHVibGluLnBsICAvY2FjaGUsIGZyZWVi?= =?koi8-r?b?c2QsIGx1YmxpbiwgcGwgb24gVE9SIGVuZCBwb2ludCBsaXN0Pw==?= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Apr 2011 09:40:43 -0000 can you unsub this person? -------- Original Message -------- Subject: Не удается доставить: Re: 193.138.118.3 ? lagoon.freebsd.lublin.pl /cache, freebsd, lublin, pl on TOR end point list? Date: Sat, 16 Apr 2011 15:33:36 +0600 From: To: *Не удалось выполнить доставку следующим получателям или лицам из следующих списков рассылки:* xlino@bvpress.ru Адрес электронной почты получателя не найден в почтовой системе получателя. Microsoft Exchange не будет повторять попытку доставки сообщения. Проверьте адрес электронной почты и повторите отправку сообщения или передайте указанное ниже диагностическое сообщение администратору. ------------------------------------------------------------------------ Отправлено с помощью Microsoft Exchange Server 2007 *Диагностические сведения для администраторов:* Формирующий сервер: bvgroup.ru xlino@bvpress.ru #550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ## Исходные заголовки сообщения: Received: from TIS (192.168.1.8) by v-mail.bvgroup.ru (192.168.1.2) with Microsoft SMTP Server id 8.2.255.0; Sat, 16 Apr 2011 15:33:36 +0600 Thread-Topic: 193.138.118.3 ? lagoon.freebsd.lublin.pl /cache, freebsd, lublin, pl on TOR end point list? Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by 192.168.4.2 with Traffic Inspector SMTP Gate (2.0.0.641); Sat, 16 Apr 2011 15:33:30 +0600 X-RBL: porn.rhs.mailpolice.com; [69.147.83.53] X-RBL: porn.rhs.mailpolice.com; [204.89.241.253] X-TI-MessID: {775196AD-38CB-408C-8EF0-5BFF42F60039} Received: from hub.freebsd.org (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id D59B1163731; Sat, 16 Apr 2011 09:32:20 +0000 (UTC) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 106221065733; Sat, 16 Apr 2011 09:32:20 +0000 (UTC) (envelope-from owner-freebsd-security@freebsd.org) Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C60AD1065670 for ; Sat, 16 Apr 2011 09:31:24 +0000 (UTC) (envelope-from michael.scheidell@secnap.com) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [204.89.241.253]) by mx1.freebsd.org (Postfix) with ESMTP id 8ADD78FC08 for ; Sat, 16 Apr 2011 09:31:24 +0000 (UTC) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [10.70.1.253]) by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id 011212B7C6A; Sat, 16 Apr 2011 05:31:23 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secnap.com; h=content-type:content-type:in-reply-to:references:subject:subject:mime-version:user-agent:from:from:date:date:message-id; s=dkim;t=1302946282; x=1304760682; bh=jop9u9EXEUhx3UYzBNUQ5yEyCqRSTBZthz+oKqq/KwI=; b=GPjflDLqz+8ZJBkxRg5Cky7mVu5cX3KuBbr/elWfongmVmvuKpCMqL5c9SfydrL8c2I2gBeKXoyFR2mQY8oa42SDpDEte7upQ82EQjXzu/1N5yTxzLgfyKH8ry1ofXiVrKwbQWSGGgUw4jGOiLEWIb2L+6B/e2A846A2hCpGmeY= X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7600.16543 X-Amavis-Modified: Mail body modified (using disclaimer) -mx1.secnap.com.ionspam.net X-Virus-Scanned: SpammerTrap(r) VPS-1500 2.14 at mx1.secnap.com.ionspam.net Received: from USBCTDC001.secnap.com (usbctdc001.secnap.com [10.70.1.1]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.secnap.com.ionspam.net (Postfix) with ESMTPS id DEDFE2B7C64; Sat, 16 Apr 2011 05:31:22 -0400 (EDT) Received: from Macintosh.local (166.248.64.9) by USBCTDC001.secnap.com (10.70.1.1) with Microsoft SMTP Server (TLS) id 14.0.722.0; Sat, 16 Apr 2011 05:31:22 -0400 Message-ID:<4DA961F1.1040100@secnap.com> Date: Sat, 16 Apr 2011 05:31:29 -0400 From: Michael Scheidell User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: References:<4DA95938.7050608@secnap.com> <4DA96137.5050100@frasunek.com> In-Reply-To:<4DA96137.5050100@frasunek.com> Content-Type: text/plain; format=flowed; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 CC:, Emerging Threats Signatures Subject: Re: 193.138.118.3 ? lagoon.freebsd.lublin.pl /cache, freebsd, lublin, pl on TOR end point list? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe:, List-Archive: List-Post: List-Help: List-Subscribe:, Sender: Errors-To: owner-freebsd-security@freebsd.org Return-Path: michael.scheidell@secnap.com From owner-freebsd-security@FreeBSD.ORG Sat Apr 16 09:44:39 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B69E7106566B for ; Sat, 16 Apr 2011 09:44:39 +0000 (UTC) (envelope-from przemyslaw@frasunek.com) Received: from lagoon.freebsd.lublin.pl (lagoon.freebsd.lublin.pl [IPv6:2a02:2928:a::3]) by mx1.freebsd.org (Postfix) with ESMTP id 6DD118FC0A for ; Sat, 16 Apr 2011 09:44:39 +0000 (UTC) Received: from [IPv6:2a02:2928:a:ffff:70a6:6b28:ff4e:bb7b] (unknown [IPv6:2a02:2928:a:ffff:70a6:6b28:ff4e:bb7b]) by lagoon.freebsd.lublin.pl (Postfix) with ESMTPSA id 6E32D239461; Sat, 16 Apr 2011 11:44:38 +0200 (CEST) Message-ID: <4DA96506.8040007@frasunek.com> Date: Sat, 16 Apr 2011 11:44:38 +0200 From: Przemyslaw Frasunek Organization: frasunek.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: Michael Scheidell References: <4DA95938.7050608@secnap.com> <4DA96137.5050100@frasunek.com> <4DA961F1.1040100@secnap.com> In-Reply-To: <4DA961F1.1040100@secnap.com> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Emerging Threats Signatures Subject: Re: 193.138.118.3 ? lagoon.freebsd.lublin.pl /cache, freebsd, lublin, pl on TOR end point list? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Apr 2011 09:44:39 -0000 > I will try to track down what server is lookup up cache.freebsd.lublin.pl and > see why its doing that. cache.freebsd.lublin.pl [193.138.118.6], now named ns2.nette.pl, is a secondary DNS for some high-traffic Polish domains, so probably that's the reason, why you're seeing such lookups.