3

CentOS 5.x

One of my CentOS servers is generating an excessive amount of DNS queries (as noted by my DNS admin). Unfortunately it's unclear from service logs which process on my server is responsible for this.

I originally thought I could just look at the queries themselves for clues, but they are reverse DNS queries for popular IPs -- so I can't easily identify the origin of the query based on the search criteria.

Is there a command or method I can use to determine which process/service is issuing the queries?

Mike B
  • 11,871
  • 42
  • 107
  • 168

2 Answers2

1

Use iptables to help you narrow it down, by logging the user ID of outgoing DNS queries.

iptables -I OUTPUT -m tcp -p tcp --dport 53 -m state --state NEW -j LOG --log-prefix "DNS traffic: " --log-uid
iptables -I OUTPUT -m udp -p udp --dport 53 -m state --state NEW -j LOG --log-prefix "DNS traffic: " --log-uid

This is the best you can do with iptables, but knowing the uid originating the traffic may be helpful in narrowing down its source.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
0

iptables -I OUTPUT -p UDP --dport 53 -m string --algo bm --string foobar.su -j LOG --log-uid --log-prefix FOOBAR_MATCH

journalctl -t kernel -f | perl -ne '/FOOBAR_MATCH/ && /SPT=(\d+)/ && system("lsof -i udp:$1")'

wcc526
  • 231
  • 2
  • 4