LinuxQuestions.org - Monitoring DNS Queries

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - Monitoring DNS Queries (https://www.linuxquestions.org/questions/linux-networking-3/monitoring-dns-queries-4175560166/)

Monitoring DNS Queries

I am reconfiguring my home LAN to use a single local DNS server for all DNS queries rather than each system perform queries.

How do I validate all systems are using only the local DNS server?

My local DNS server (192.168.1.2) is using dnsmasq. The dnsmasq log shows everything to be working as I expected.

My client test system's (192.168.1.6) resolv.conf:

nameserver 127.0.0.1
nameserver 192.168.1.2

My test system is not experiencing any hangs or delays. After a short web browser session the server dnsmasq log shows many query requests from the IP address of my test system. A good sign but inconclusive.

To my understanding, the Linux resolver is limited to resolv.conf addresses. I presume then all DNS queries are limited to those two IP addresses. So perhaps that design itself is all the validation I need. Nonetheless, would be nice to monitor something at the test system to validate each query is going only to 192.168.1.2.

How do I verify the test system (192.168.1.6) is only using 192.168.1.2 for dns queries?

Thanks. :)

It's hard to exclude improbable border cases, such as a process doing its own name resolution without using the resolver. If your concern is DNS queries, though, you could trace network packets with port 53.

Another option might be writing your own gethostbyname as a front end to to the standard library function that monitors this.

Try Wireshark or tcpdump.

You can only verify it at the gateway level. Or maybe at the switch level when you mirror the traffic of a certain port.
As allready pointed out the usage of your local dns server is no guranteed sign that its the only dns server used by the client. You would need to monitor the traffic on the udp and tcp ports 53. Also this is no 100 guarantee for no other dns server beeing used. But it tackles the default ports and protocol of dns. 100% assurance can only be given if you monitor all network traffic and search for dns protocol packets. Which could be hard in case of ssl traffic.

On the client side you should trust the configuration settings. Also this would not hold back an application to not tolerate this setting. Maybe install some firewall rules that allows dns protocol to only communicate with your local dns server.

Quote:

iptables -p udp --dport 53 -d 192.168.1.2 -j ACCEPT
iptables -p tcp --dport 53 -d 192.168.1.2 -j ACCEPT
iptables --dport 53 -j REJECT

Hmm. Sounds as though something so seemingly simple is actually a bit tricky. :)

My focus is not security. That is, I only want to confirm my configuration and plan are working as intended. I have not forced all routing through the server as a gateway, just DNS queries. My router (running DD-WRT) is still the LAN gateway.

Not that security should be ignored -- the Microsoft folks hard-code IP addresses into their systems to avoid hosts file queries. Basically any closed source software probably should be likewise untrusted. But that is beyond the scope of this little project. :)

I suppose there is no convenient way to confirm other than run wireshark on the client machine and then monitor in real time. Possibly another test would be to unplug the server and then monitor the client. Ideally everything would stall without a DNS server.

Trust the configuration. And dont forget that all addresses resolved before unpluging could still be chached on the client.

I discovered another location where DNS servers are stored: Network Manager. When not using auto then be sure to edit those files as well.