[Novalug] Finding PID That Is Querying DNS

gregory pryzby greg at pryzby.org
Wed Oct 3 07:57:35 EDT 2007 

The last number (.2003 and .53) are the ports

2003 cfinger
53   domain (name-domain service)
/etc/services

On Wed, Oct 03, 2007 at 12:43:46AM -0500, Bernie Hoefer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>      Hello.  I'm wondering how I might find which process is performing
> hostname lookups from my OpenSuSE 10.1 workstation.
>      I noticed that my workstation is, about every 15 seconds, querying
> hostnames.  I shutdown all the programs (browser, OpenOffice, etc.) I
> was using.  I then only had some Konsole windows open, yet DNS queries
> are still coming from my workstation.  Here is a TCP dump:
> 
> ===
> > workstation:~ # tcpdump -n dst host 192.168.1.1 port 53
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> > 23:07:31.749288 IP 192.168.1.2.2003 > 192.168.1.1.53:  14714+ AAAA? tags.expo9.exponential.com. (44)
> > 23:07:31.768688 IP 192.168.1.2.2003 > 192.168.1.1.53:  14714+ AAAA? tags.expo9.exponential.com. (44)
> > 23:07:31.785868 IP 192.168.1.2.2003 > 192.168.1.1.53:  46759+ A? tags.expo9.exponential.com. (44)
> > 23:07:31.804787 IP 192.168.1.2.2003 > 192.168.1.1.53:  46759+ A? tags.expo9.exponential.com. (44)
> > 23:07:31.824754 IP 192.168.1.2.2003 > 192.168.1.1.53:  56575+ AAAA? view.atdmt.com. (32)
> > 23:07:31.841642 IP 192.168.1.2.2003 > 192.168.1.1.53:  56575+ AAAA? view.atdmt.com. (32)
> > 23:07:31.860692 IP 192.168.1.2.2003 > 192.168.1.1.53:  4054+ A? view.atdmt.com. (32)
> > 23:07:31.878834 IP 192.168.1.2.2003 > 192.168.1.1.53:  4054+ A? view.atdmt.com. (32)
> > 23:07:31.899762 IP 192.168.1.2.2003 > 192.168.1.1.53:  13455+ AAAA? a.tribalfusion.com. (36)
> > 23:07:31.922340 IP 192.168.1.2.2003 > 192.168.1.1.53:  13455+ AAAA? a.tribalfusion.com. (36)
> > 23:07:31.942765 IP 192.168.1.2.2003 > 192.168.1.1.53:  38090+ A? a.tribalfusion.com. (36)
> > 23:07:31.967625 IP 192.168.1.2.2003 > 192.168.1.1.53:  38090+ A? a.tribalfusion.com. (36)
> > 23:07:31.987984 IP 192.168.1.2.2003 > 192.168.1.1.53:  24+ AAAA? farm1.static.flickr.com. (41)
> > 23:07:32.011748 IP 192.168.1.2.2003 > 192.168.1.1.53:  24+ AAAA? farm1.static.flickr.com. (41)
> > 23:07:32.031846 IP 192.168.1.2.2003 > 192.168.1.1.53:  35889+ A? farm1.static.flickr.com. (41)
> > 23:07:32.052770 IP 192.168.1.2.2003 > 192.168.1.1.53:  35889+ A? farm1.static.flickr.com. (41)
> > 23:07:32.073345 IP 192.168.1.2.2003 > 192.168.1.1.53:  43132+ AAAA? a.rad.live.com. (32)
> > 23:07:32.092727 IP 192.168.1.2.2003 > 192.168.1.1.53:  43132+ AAAA? a.rad.live.com. (32)
> > 23:07:32.112605 IP 192.168.1.2.2003 > 192.168.1.1.53:  8399+ A? a.rad.live.com. (32)
> > 23:07:32.134714 IP 192.168.1.2.2003 > 192.168.1.1.53:  8399+ A? a.rad.live.com. (32)
> > 23:07:32.154698 IP 192.168.1.2.2003 > 192.168.1.1.53:  35674+ AAAA? login.passport.net. (36)
> > 23:07:32.176756 IP 192.168.1.2.2003 > 192.168.1.1.53:  35674+ AAAA? login.passport.net. (36)
> > 23:07:32.196773 IP 192.168.1.2.2003 > 192.168.1.1.53:  32425+ A? login.passport.net. (36)
> > 23:07:32.216748 IP 192.168.1.2.2003 > 192.168.1.1.53:  32425+ A? login.passport.net. (36)
> > 23:07:32.237558 IP 192.168.1.2.2003 > 192.168.1.1.53:  32523+ AAAA? ad.interclick.com. (35)
> > 23:07:32.256743 IP 192.168.1.2.2003 > 192.168.1.1.53:  32523+ AAAA? ad.interclick.com. (35)
> > 23:07:32.276732 IP 192.168.1.2.2003 > 192.168.1.1.53:  17288+ A? ad.interclick.com. (35)
> > 23:07:32.299140 IP 192.168.1.2.2003 > 192.168.1.1.53:  17288+ A? ad.interclick.com. (35)
> > 23:07:32.318846 IP 192.168.1.2.2003 > 192.168.1.1.53:  43277+ AAAA? h.msn.com. (27)
> > 23:07:32.349845 IP 192.168.1.2.2003 > 192.168.1.1.53:  43277+ AAAA? h.msn.com. (27)
> > 23:07:32.378196 IP 192.168.1.2.2003 > 192.168.1.1.53:  16315+ A? h.msn.com. (27)
> > 23:07:32.396733 IP 192.168.1.2.2003 > 192.168.1.1.53:  16315+ A? h.msn.com. (27)
> > 23:07:32.416739 IP 192.168.1.2.2003 > 192.168.1.1.53:  55758+ AAAA? h.live.com. (28)
> > 23:07:32.436716 IP 192.168.1.2.2003 > 192.168.1.1.53:  55758+ AAAA? h.live.com. (28)
> > 23:07:32.456765 IP 192.168.1.2.2003 > 192.168.1.1.53:  35730+ A? h.live.com. (28)
> > 23:07:32.476708 IP 192.168.1.2.2003 > 192.168.1.1.53:  35730+ A? h.live.com. (28)
> > 23:07:32.496768 IP 192.168.1.2.2003 > 192.168.1.1.53:  20489+ AAAA? rad.live.com. (30)
> > 23:07:32.516714 IP 192.168.1.2.2003 > 192.168.1.1.53:  20489+ AAAA? rad.live.com. (30)
> > 23:07:32.536039 IP 192.168.1.2.2003 > 192.168.1.1.53:  30467+ A? rad.live.com. (30)
> > 23:07:32.558950 IP 192.168.1.2.2003 > 192.168.1.1.53:  30467+ A? rad.live.com. (30)
> > 23:07:32.579745 IP 192.168.1.2.2003 > 192.168.1.1.53:  62087+ AAAA? ad.yieldmanager.com. (37)
> > 23:07:32.603030 IP 192.168.1.2.2003 > 192.168.1.1.53:  62087+ AAAA? ad.yieldmanager.com. (37)
> > 23:07:32.622473 IP 192.168.1.2.2003 > 192.168.1.1.53:  23660+ A? ad.yieldmanager.com. (37)
> > 23:07:32.644724 IP 192.168.1.2.2003 > 192.168.1.1.53:  23660+ A? ad.yieldmanager.com. (37)
> > 23:07:32.664610 IP 192.168.1.2.2003 > 192.168.1.1.53:  11533+ AAAA? www.sphere.com. (32)
> > 23:07:32.687092 IP 192.168.1.2.2003 > 192.168.1.1.53:  11533+ AAAA? www.sphere.com. (32)
> > 23:07:32.706451 IP 192.168.1.2.2003 > 192.168.1.1.53:  24941+ A? www.sphere.com. (32)
> > 23:07:32.731240 IP 192.168.1.2.2003 > 192.168.1.1.53:  24941+ A? www.sphere.com. (32)
> > 23:07:32.750181 IP 192.168.1.2.2003 > 192.168.1.1.53:  53596+ AAAA? b.rad.live.com. (32)
> > 23:07:32.771247 IP 192.168.1.2.2003 > 192.168.1.1.53:  53596+ AAAA? b.rad.live.com. (32)
> > 23:07:32.789780 IP 192.168.1.2.2003 > 192.168.1.1.53:  63005+ A? b.rad.live.com. (32)
> > 23:07:32.811612 IP 192.168.1.2.2003 > 192.168.1.1.53:  63005+ A? b.rad.live.com. (32)
> > 23:07:32.831475 IP 192.168.1.2.2003 > 192.168.1.1.53:  28455+ AAAA? api.maps.yahoo.com. (36)
> > 23:07:32.852738 IP 192.168.1.2.2003 > 192.168.1.1.53:  28455+ AAAA? api.maps.yahoo.com. (36)
> > 23:07:32.872216 IP 192.168.1.2.2003 > 192.168.1.1.53:  14490+ A? api.maps.yahoo.com. (36)
> > 23:07:32.892742 IP 192.168.1.2.2003 > 192.168.1.1.53:  14490+ A? api.maps.yahoo.com. (36)
> > 
> > 84 packets captured
> > 168 packets received by filter
> > 0 packets dropped by kernel
> ===
> 
>      For connections that are established and active, I'd normally use
> netstat to see the process ID (PID).  However, that didn't work.  It
> shows the connection, but doesn't list the PID.
> 
> ===
> > workstation:~ # netstat -npcuve
> > Active Internet connections (w/o servers)
> > Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
> > udp        0      0 192.168.1.2:2038        192.168.1.1:53          ESTABLISHED 0          1993246    -
> ===
> 
> So, I tried using lsof.  I set it up to repeatedly check every second
> (-r 1) for UDP packets going to the nameserver.  It showed nothing.
> Just to check that I was running lsof correclty, I used
> "netcat -u 192.168.1.1 53"; that did cause something to show up:
> 
> ===
> > workstation:~ # lsof -r 1 -n -P -i UDP at 192.168.1.1:53
> > =======
> > =======
> > COMMAND  PID     USER   FD   TYPE  DEVICE SIZE NODE NAME
> > netcat  6126 testuser    3u  IPv4 1984487       UDP 192.168.1.2:2038->192.168.1.1:53
> > =======
> > COMMAND  PID     USER   FD   TYPE  DEVICE SIZE NODE NAME
> > netcat  6126 testuser    3u  IPv4 1984487       UDP 192.168.1.2:2038->192.168.1.1:53
> > =======
> > =======
> ===
> 
>      How can I find out which process is making these DNS queries?
> 
> - --
> Bernie Hoefer
> PGP e-mail is welcome!  Get my 1024 bit signature key from:
> <http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x446A6F93>.
> "The more I know, the more I realize how much I do not understand."
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> 
> iD8DBQFHAywFckGmqURqb5MRAqaXAJwMFPdMildnzZuJ3skCmIRC9A3bagCbBUVL
> YkdnhAcnSoIIT7fjA9QRv/Y=
> =UM7Z
> -----END PGP SIGNATURE-----
> _______________________________________________
> Novalug mailing list
> Novalug at calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
> 

-- 
greg pryzby                              greg at pryzby dot org
fingerprint: 8A1A DB90 869F 5DD1 D6E9 EEB6 C156 6B04 849F A86F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://calypso.tux.org/pipermail/novalug/attachments/20071003/9f7553fa/attachment.pgp

More information about the Novalug mailing list