[Novalug] Finding PID That Is Querying DNS

Bernie Hoefer LUG-Member at TheMoreIKnow.info
Wed Oct 3 01:43:46 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

     Hello.  I'm wondering how I might find which process is performing
hostname lookups from my OpenSuSE 10.1 workstation.
     I noticed that my workstation is, about every 15 seconds, querying
hostnames.  I shutdown all the programs (browser, OpenOffice, etc.) I
was using.  I then only had some Konsole windows open, yet DNS queries
are still coming from my workstation.  Here is a TCP dump:

===
> workstation:~ # tcpdump -n dst host 192.168.1.1 port 53
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 23:07:31.749288 IP 192.168.1.2.2003 > 192.168.1.1.53:  14714+ AAAA? tags.expo9.exponential.com. (44)
> 23:07:31.768688 IP 192.168.1.2.2003 > 192.168.1.1.53:  14714+ AAAA? tags.expo9.exponential.com. (44)
> 23:07:31.785868 IP 192.168.1.2.2003 > 192.168.1.1.53:  46759+ A? tags.expo9.exponential.com. (44)
> 23:07:31.804787 IP 192.168.1.2.2003 > 192.168.1.1.53:  46759+ A? tags.expo9.exponential.com. (44)
> 23:07:31.824754 IP 192.168.1.2.2003 > 192.168.1.1.53:  56575+ AAAA? view.atdmt.com. (32)
> 23:07:31.841642 IP 192.168.1.2.2003 > 192.168.1.1.53:  56575+ AAAA? view.atdmt.com. (32)
> 23:07:31.860692 IP 192.168.1.2.2003 > 192.168.1.1.53:  4054+ A? view.atdmt.com. (32)
> 23:07:31.878834 IP 192.168.1.2.2003 > 192.168.1.1.53:  4054+ A? view.atdmt.com. (32)
> 23:07:31.899762 IP 192.168.1.2.2003 > 192.168.1.1.53:  13455+ AAAA? a.tribalfusion.com. (36)
> 23:07:31.922340 IP 192.168.1.2.2003 > 192.168.1.1.53:  13455+ AAAA? a.tribalfusion.com. (36)
> 23:07:31.942765 IP 192.168.1.2.2003 > 192.168.1.1.53:  38090+ A? a.tribalfusion.com. (36)
> 23:07:31.967625 IP 192.168.1.2.2003 > 192.168.1.1.53:  38090+ A? a.tribalfusion.com. (36)
> 23:07:31.987984 IP 192.168.1.2.2003 > 192.168.1.1.53:  24+ AAAA? farm1.static.flickr.com. (41)
> 23:07:32.011748 IP 192.168.1.2.2003 > 192.168.1.1.53:  24+ AAAA? farm1.static.flickr.com. (41)
> 23:07:32.031846 IP 192.168.1.2.2003 > 192.168.1.1.53:  35889+ A? farm1.static.flickr.com. (41)
> 23:07:32.052770 IP 192.168.1.2.2003 > 192.168.1.1.53:  35889+ A? farm1.static.flickr.com. (41)
> 23:07:32.073345 IP 192.168.1.2.2003 > 192.168.1.1.53:  43132+ AAAA? a.rad.live.com. (32)
> 23:07:32.092727 IP 192.168.1.2.2003 > 192.168.1.1.53:  43132+ AAAA? a.rad.live.com. (32)
> 23:07:32.112605 IP 192.168.1.2.2003 > 192.168.1.1.53:  8399+ A? a.rad.live.com. (32)
> 23:07:32.134714 IP 192.168.1.2.2003 > 192.168.1.1.53:  8399+ A? a.rad.live.com. (32)
> 23:07:32.154698 IP 192.168.1.2.2003 > 192.168.1.1.53:  35674+ AAAA? login.passport.net. (36)
> 23:07:32.176756 IP 192.168.1.2.2003 > 192.168.1.1.53:  35674+ AAAA? login.passport.net. (36)
> 23:07:32.196773 IP 192.168.1.2.2003 > 192.168.1.1.53:  32425+ A? login.passport.net. (36)
> 23:07:32.216748 IP 192.168.1.2.2003 > 192.168.1.1.53:  32425+ A? login.passport.net. (36)
> 23:07:32.237558 IP 192.168.1.2.2003 > 192.168.1.1.53:  32523+ AAAA? ad.interclick.com. (35)
> 23:07:32.256743 IP 192.168.1.2.2003 > 192.168.1.1.53:  32523+ AAAA? ad.interclick.com. (35)
> 23:07:32.276732 IP 192.168.1.2.2003 > 192.168.1.1.53:  17288+ A? ad.interclick.com. (35)
> 23:07:32.299140 IP 192.168.1.2.2003 > 192.168.1.1.53:  17288+ A? ad.interclick.com. (35)
> 23:07:32.318846 IP 192.168.1.2.2003 > 192.168.1.1.53:  43277+ AAAA? h.msn.com. (27)
> 23:07:32.349845 IP 192.168.1.2.2003 > 192.168.1.1.53:  43277+ AAAA? h.msn.com. (27)
> 23:07:32.378196 IP 192.168.1.2.2003 > 192.168.1.1.53:  16315+ A? h.msn.com. (27)
> 23:07:32.396733 IP 192.168.1.2.2003 > 192.168.1.1.53:  16315+ A? h.msn.com. (27)
> 23:07:32.416739 IP 192.168.1.2.2003 > 192.168.1.1.53:  55758+ AAAA? h.live.com. (28)
> 23:07:32.436716 IP 192.168.1.2.2003 > 192.168.1.1.53:  55758+ AAAA? h.live.com. (28)
> 23:07:32.456765 IP 192.168.1.2.2003 > 192.168.1.1.53:  35730+ A? h.live.com. (28)
> 23:07:32.476708 IP 192.168.1.2.2003 > 192.168.1.1.53:  35730+ A? h.live.com. (28)
> 23:07:32.496768 IP 192.168.1.2.2003 > 192.168.1.1.53:  20489+ AAAA? rad.live.com. (30)
> 23:07:32.516714 IP 192.168.1.2.2003 > 192.168.1.1.53:  20489+ AAAA? rad.live.com. (30)
> 23:07:32.536039 IP 192.168.1.2.2003 > 192.168.1.1.53:  30467+ A? rad.live.com. (30)
> 23:07:32.558950 IP 192.168.1.2.2003 > 192.168.1.1.53:  30467+ A? rad.live.com. (30)
> 23:07:32.579745 IP 192.168.1.2.2003 > 192.168.1.1.53:  62087+ AAAA? ad.yieldmanager.com. (37)
> 23:07:32.603030 IP 192.168.1.2.2003 > 192.168.1.1.53:  62087+ AAAA? ad.yieldmanager.com. (37)
> 23:07:32.622473 IP 192.168.1.2.2003 > 192.168.1.1.53:  23660+ A? ad.yieldmanager.com. (37)
> 23:07:32.644724 IP 192.168.1.2.2003 > 192.168.1.1.53:  23660+ A? ad.yieldmanager.com. (37)
> 23:07:32.664610 IP 192.168.1.2.2003 > 192.168.1.1.53:  11533+ AAAA? www.sphere.com. (32)
> 23:07:32.687092 IP 192.168.1.2.2003 > 192.168.1.1.53:  11533+ AAAA? www.sphere.com. (32)
> 23:07:32.706451 IP 192.168.1.2.2003 > 192.168.1.1.53:  24941+ A? www.sphere.com. (32)
> 23:07:32.731240 IP 192.168.1.2.2003 > 192.168.1.1.53:  24941+ A? www.sphere.com. (32)
> 23:07:32.750181 IP 192.168.1.2.2003 > 192.168.1.1.53:  53596+ AAAA? b.rad.live.com. (32)
> 23:07:32.771247 IP 192.168.1.2.2003 > 192.168.1.1.53:  53596+ AAAA? b.rad.live.com. (32)
> 23:07:32.789780 IP 192.168.1.2.2003 > 192.168.1.1.53:  63005+ A? b.rad.live.com. (32)
> 23:07:32.811612 IP 192.168.1.2.2003 > 192.168.1.1.53:  63005+ A? b.rad.live.com. (32)
> 23:07:32.831475 IP 192.168.1.2.2003 > 192.168.1.1.53:  28455+ AAAA? api.maps.yahoo.com. (36)
> 23:07:32.852738 IP 192.168.1.2.2003 > 192.168.1.1.53:  28455+ AAAA? api.maps.yahoo.com. (36)
> 23:07:32.872216 IP 192.168.1.2.2003 > 192.168.1.1.53:  14490+ A? api.maps.yahoo.com. (36)
> 23:07:32.892742 IP 192.168.1.2.2003 > 192.168.1.1.53:  14490+ A? api.maps.yahoo.com. (36)
> 
> 84 packets captured
> 168 packets received by filter
> 0 packets dropped by kernel
===

     For connections that are established and active, I'd normally use
netstat to see the process ID (PID).  However, that didn't work.  It
shows the connection, but doesn't list the PID.

===
> workstation:~ # netstat -npcuve
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
> udp        0      0 192.168.1.2:2038        192.168.1.1:53          ESTABLISHED 0          1993246    -
===

So, I tried using lsof.  I set it up to repeatedly check every second
(-r 1) for UDP packets going to the nameserver.  It showed nothing.
Just to check that I was running lsof correclty, I used
"netcat -u 192.168.1.1 53"; that did cause something to show up:

===
> workstation:~ # lsof -r 1 -n -P -i UDP at 192.168.1.1:53
> =======
> =======
> COMMAND  PID     USER   FD   TYPE  DEVICE SIZE NODE NAME
> netcat  6126 testuser    3u  IPv4 1984487       UDP 192.168.1.2:2038->192.168.1.1:53
> =======
> COMMAND  PID     USER   FD   TYPE  DEVICE SIZE NODE NAME
> netcat  6126 testuser    3u  IPv4 1984487       UDP 192.168.1.2:2038->192.168.1.1:53
> =======
> =======
===

     How can I find out which process is making these DNS queries?

- --
Bernie Hoefer
PGP e-mail is welcome!  Get my 1024 bit signature key from:
<http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x446A6F93>.
"The more I know, the more I realize how much I do not understand."


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFHAywFckGmqURqb5MRAqaXAJwMFPdMildnzZuJ3skCmIRC9A3bagCbBUVL
YkdnhAcnSoIIT7fjA9QRv/Y=
=UM7Z
-----END PGP SIGNATURE-----

More information about the Novalug mailing list