LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-13-2008, 01:29 PM   #1
tobiusmaximus
LQ Newbie
 
Registered: Dec 2007
Location: on the seeeeeee.
Distribution: AArrrg2.0
Posts: 20

Rep: Reputation: 0
DNS servers chatting it up with my box


Hello, I set up iptables to drop and log all traffic except solicited and loopback. Everything works fine, but why am I in constant communication with the two dns servers my isp assigned me to? My understanding is they resolve domain names to ip's for routing on request only. With no web browsing or services being used, I am still in constant contact with them. And dropping all this traffic both ways in and out has not broke anything, domains still resolve I'm on this website right now. What's the deal with all the yacking?

Last edited by tobiusmaximus; 01-13-2008 at 01:38 PM.
 
Old 01-13-2008, 02:08 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
no idea without seeing the traffic. capture it in wireshark and let's see...
 
Old 01-13-2008, 02:38 PM   #3
tobiusmaximus
LQ Newbie
 
Registered: Dec 2007
Location: on the seeeeeee.
Distribution: AArrrg2.0
Posts: 20

Original Poster
Rep: Reputation: 0
headers sample

Here's a snippet. 192.168.1.100 of course is my box in question on the lan, 192.168.1.1 is my router, some of this chat between my box and DNS seems to have something to do with my router.
I hope this comes out all right I started up gpm to copy and paste into here (lynx)

15:30:59.147369 IP ns1.broadbandsupport.net.domain > 192.168.1.100.32776: 42761 NXDomain 0/1/0 (10
15:30:59.148882 IP 192.168.1.100.32776 > ns1.broadbandsupport.net.domain: 47712+ PTR? 1.1.168.192.
15:31:04.149895 IP 192.168.1.100.32777 > ns2.broadbandsupport.net.domain: 47712+ PTR? 1.1.168.192.
15:31:06.953567 IP ns1.broadbandsupport.net.domain > 192.168.1.100.32776: 47712 ServFail 0/0/0 (42)15:31:09.150288 IP 192.168.1.100.32776 > ns1.broadbandsupport.net.domain: 47712+ PTR? 1.1.168.192.
15:31:09.150775 IP 192.168.1.100.32777 > ns2.broadbandsupport.net.domain: 47712+ PTR? 1.1.168.192.
15:31:14.152063 IP 192.168.1.100.32777 > ns1.broadbandsupport.net.domain: 8659+ PTR? 100.1.168.192
15:31:19.151558 IP 192.168.1.100.32778 > ns2.broadbandsupport.net.domain: 8659+ PTR? 100.1.168.192
15:31:19.608315 IP ns2.broadbandsupport.net.domain > 192.168.1.100.32778: 8659 ServFail 0/0/0 (44)
15:31:19.608998 IP 192.168.1.100.32778 > ns1.broadbandsupport.net.domain: 8659+ PTR? 100.1.168.192
15:31:22.740212 IP ns1.broadbandsupport.net.domain > 192.168.1.100.32778: 8659 ServFail 0/0/0 (44)
15:31:22.740819 IP 192.168.1.100.32778 > ns2.broadbandsupport.net.domain: 8659+ PTR? 100.1.168.192
15:31:22.742081 IP ns1.broadbandsupport.net.domain > 192.168.1.100.32777: 8659 ServFail 0/0/0 (44)


edit I can't clean it up any through lynx. Sorry for the crappy format. This chatter is constant twenty four hours a day, for as long as I remember no matter what I am running, and nobody has ever given me a straight answer Why does my box talk to DNS servers -constantly-?

Last edited by acid_kewpie; 01-13-2008 at 04:04 PM.
 
Old 01-13-2008, 04:07 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
ok, so it's a ptr lookup coming from 192.168.1.100. is that you? something looking up it's own hostname... probably just want to set your hostname in /etc/resolv.conf and it should disappear instantly.

127.0.0.1 localhost localhost.localdomain
192.168.1.100 mycomputer
 
Old 01-13-2008, 08:41 PM   #5
tobiusmaximus
LQ Newbie
 
Registered: Dec 2007
Location: on the seeeeeee.
Distribution: AArrrg2.0
Posts: 20

Original Poster
Rep: Reputation: 0
ok

First, my router is the device connected directly to the internet, anotherwords, the device which would obtain it's domain name (you know- somecustomer.xx.xxx.xx.xx.someisp) The router has it's external IP and whatever assigned domain name stand-alone from whatever box I have hooked up to it lan-side. I can unplug or turn off the puter and the router is still a presence on the net. So I can see my router talking to the name servers, but my box -inside- the LAN talking non-stop still does not make sense. It's hostname is set internally, it's ip is obtained from the router. Resolv.conf contains the ip's of the DNS servers. Again, I understand if a browser or other app needs to resolve a domain name (ex- irssi irc.freenode.net would result in nameserver use) but the constant purposeless chatter like I posted I don't get.

Last edited by tobiusmaximus; 01-13-2008 at 08:48 PM.
 
Old 01-14-2008, 02:49 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
well that's what i answered... i told you what to do...
 
Old 01-14-2008, 03:11 PM   #7
tobiusmaximus
LQ Newbie
 
Registered: Dec 2007
Location: on the seeeeeee.
Distribution: AArrrg2.0
Posts: 20

Original Poster
Rep: Reputation: 0
RE:

Hey you did answer my question.. I thought you where stating the obvious about the ip's.
I set my hostname in resolv.conf and the stream of requests stopped.

Now it does the same with the router, just not as often. Unneighbourly to incessantly flood my ISP's nameservers because of poor configuration, but this is from a default install and the same thing goes on with every *nix I've worked with. Slack asked me to set hostname and domain on install and I did.

I've got one more question:
15:34:18.839315 IP 202.106.165.44.3637 > 192.168.1.100.ms-sql-s: S 2630016369:2630016369(0) win 655$15:34:18.841629 IP 192.168.1.100.32775 > ns1.broadbandsupport.net.domain: 43359+ PTR? 44.165.106.2$15:34:18.912109 IP ns1.broadbandsupport.net.domain > 192.168.1.100.32775: 43359 NXDomain 0/1/0 (99)

That machine was looking for some mysql service, the co-responding log (debug) shows it being dropped, but my computer makes a dns request regarding the IP. Where is this info? the firewall logging the dropped packet to debug is a half-ass iptables rule I wrote, but there's stuff going on here that isn't logged anywhere.
 
Old 01-14-2008, 03:42 PM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
well really the only thing directly talking to your ISP's nameservers *should* be the router itself, and that router is used as the DNS server to your internal nodes. I've never really thought about this sort of DNS request and what should happen to it, but the router's DNS *should* ideally discard it if it's not able to directly answer it itself. it should know that no one else is allowed to answer...
 
Old 01-14-2008, 07:41 PM   #9
tobiusmaximus
LQ Newbie
 
Registered: Dec 2007
Location: on the seeeeeee.
Distribution: AArrrg2.0
Posts: 20

Original Poster
Rep: Reputation: 0
Title

Let me clarify exactly what goes on now: (slackware 12 behind linksys NRO41 connected via DHCP through cable modem)
(If the router should handle dns, resolv.conf contains my isp's nameserver IP's. DHCPD auto-configured my connection.)
My machine intermitantly sends this request to the nameservers: (This entire conversation is between my box and the ISP's DNS)
n 51262+ PTR? 250.255.255.239.in-addr.arpa. (46)
And is answered with this:
51262 NXDomain 0/1/0 (103)
My machine then repeats the request with the router lan-side IP:
PTR? 1.1.168.192.in-addr.arpa. (42)
DNS answer header:
36155 NXDomain 0/1/0 (119)
My machine, same request, this time it's own lan IPyes it's doing it again)
43988+ PTR? 100.1.168.192.in-addr.arpa. (44)
DNS answer header:
43988 NXDomain 0/1/0 (121)
My computer, same request, this time with the DNS server IP!?! same one it's talking to.
28820+ PTR? 181.241.83.65.in-addr.arpa. (44)
DNS answers:
28820 2/2/2[|domain]
This cycle goes on endlessly. The only direct communication between box and router is my box's ARP request and the router's response. If the router is supposed to be my LAN's dns server, it's sleeping on the job.
Which reminds me: If my network is auto-configured by the router's dhcp server, which in turn is auto configured through my ISP's DHCP server, could this be some trick to have a clueless customer's LAN mapped out and keep tabs on what goes on inside? Remember, this same song-and-dance goes on with any *nix system I have used while with my ISP.

Last edited by tobiusmaximus; 01-14-2008 at 07:45 PM.
 
Old 01-15-2008, 06:27 PM   #10
tobiusmaximus
LQ Newbie
 
Registered: Dec 2007
Location: on the seeeeeee.
Distribution: AArrrg2.0
Posts: 20

Original Poster
Rep: Reputation: 0
re:

Alright- I set my router as the nameserver in resolv.conf and it is working after some real weird stuff. I tested by running tcpdump switching shells and lynxing to google. Lynx did some odd stuff, claiming google unresolvable, then said 'guessing' and added another .com to the end. Which directed me to search.com. After that hickup, the router started resolving properly, and tcpdump confirms all dns traffic lanside is now between my box and router. All, not just lan-specific traffic.
Which raises the question- Should I even use DHCP lan-side?
DHCP is all I've ever read or heard about anyone using with a dynamic IP, and it did'nt click that DHCP doesn't necesarrily apply LANside.
With the router set to DHCP wan-side, I'm going to do a test run setting up static networking lan-side.
Which also raises another issue- If I continue poking at using a linux box for a router, am I going to have to also set up a real nameserver on it? Or is their a proper way for a router to non-transparently relay dns traffic without BIND and stuff? Seems like a security headache for something like that to run on a router. How does the linksys do it?

Last edited by tobiusmaximus; 01-15-2008 at 06:39 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Forward DNS lookup to different DNS Servers ghight Linux - Networking 2 09-28-2006 05:54 AM
TEMP_FAILURE: DNS Error: Timeout while contacting DNS servers when receiving emails tonysutherland Linux - Networking 2 02-10-2006 09:04 AM
lame dns servers etc and general dns issues suse_linux9.1 Linux - Networking 3 06-01-2004 01:50 PM
DNS Name servers? jadal Linux - General 2 05-16-2004 02:21 AM
Servers keep asaulting my box :( NiM Linux - Networking 2 08-20-2001 03:58 PM


All times are GMT -5. The time now is 08:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration