LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-18-2013, 04:24 PM   #1
jonhen
LQ Newbie
 
Registered: Feb 2013
Posts: 4

Rep: Reputation: Disabled
PC calling DNS nameserver every 10 seconds


I have 4 computers all using Ubuntu 12.04 all set up similarly but one of them is continuously calling the DNS nameserver every 10 or 20 seconds (not sure from the logs) but the network monitor is showing activity in/out every 10. Syslog says 20 and that it is a kernel notification.

I've tried blocking it with ufw but that hasn't given me any clue. Wireshark shows the source as IntelCor_<hex> and comparing it with the other 3 computers hasn't helped. Looking at running processes with top hasn't helped either.

Anybody have any other ideas before I rebuild this one?
 
Old 02-18-2013, 05:10 PM   #2
teckk
Senior Member
 
Registered: Oct 2004
Distribution: FreeBSD Arch
Posts: 1,765

Rep: Reputation: 192Reputation: 192
Quote:
continuously calling the DNS nameserver every 10 or 20 seconds
That sounds normal. Run tcpdump and see who it's talking to. Use you own term and eth device. Something like
Code:
xterm -T TCPdump +sb -g 80x45 -e sudo tcpdump -q -t -i eth0
 
Old 02-19-2013, 05:00 AM   #3
jonhen
LQ Newbie
 
Registered: Feb 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks for the suggestion. Tried that but it didn't tell me anything new. I know it's going out to port 53 on the nameserver which I have listed in resolv.conf (the 3 other computers are set up this way and don't do this). If I block the calls with ufw it lists the protocol as ICMP in the syslog. Just knowing what is initiating the calls would be halfway to solving it.

I noticed while checking with top in the command column http was listed which it isn't in the other computers.
 
Old 02-19-2013, 07:18 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Quote:
Originally Posted by jonhen
continuously calling the DNS nameserver every 10 or 20 seconds
What is the actual host name the machine looks up continuously? (Since the machine as you say continuously calls the name server you could also tally requests by running 'dnstop' on the name server if you have access to it.)


Quote:
Originally Posted by jonhen View Post
I know it's going out to port 53 on the nameserver which I have listed in resolv.conf (the 3 other computers are set up this way and don't do this). If I block the calls with ufw it lists the protocol as ICMP in the syslog.
That does not make any sense at all. Please post output.


Quote:
Originally Posted by jonhen View Post
Just knowing what is initiating the calls would be halfway to solving it.
Netfilter allows you to filter traffic by UID using the "owner" module. Example here. If the machine runs the audit service check this.

Quote:
Originally Posted by jonhen View Post
I noticed while checking with top in the command column http was listed which it isn't in the other computers.
Is it "http" or "httpd"? Anyway, just list what it does:
Code:
pgrep httpd|xargs -iX lsof -Pwlnp 'X' -a -i
# or
netstat -antupe | egrep "($(pgrep httpd -d "|"))"

Last edited by unSpawn; 02-19-2013 at 07:19 AM. Reason: //More *is* more
 
Old 02-19-2013, 09:30 AM   #5
jonhen
LQ Newbie
 
Registered: Feb 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
From wireshark:

"2","2.231526","192.168.1.6","85.214.20.141","DNS","68","Standard query AAAA hostname"
"3","2.276354","85.214.20.141","192.168.1.6","DNS","143","Standard query response, No such name"
"4","2.276566","192.168.1.6","85.214.20.141","DNS","68","Standard query A hostname"
"5","2.321918","85.214.20.141","192.168.1.6","DNS","143","Standard query response, No such name"

From syslog with all outgoing blocked by the firewall:

Feb 19 08:40:13 HP-dv2500 kernel: [ 1652.209510] [UFW BLOCK] IN= OUT=eth0 SRC=192.168.1.6 DST=85.214.20.141 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=10372 DF PROTO=UDP SPT=40135 DPT=53 LEN=34
Feb 19 08:40:33 HP-dv2500 kernel: [ 1672.210942] [UFW BLOCK] IN= OUT=eth0 SRC=192.168.1.6 DST=85.214.20.141 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=15372 DF PROTO=UDP SPT=53249 DPT=53 LEN=34

Not sure when I saw it as ICMP so best ignore that for now. You're quite right that doesn't make any sense.

Looking at running processes with top it was http I saw periodically, anyway neither pgrep nor netstat produce any output, http may have nothing to do with this, I don't know.

I'll check out netfilter and post any useful findings.

Thanks
 
Old 02-19-2013, 03:30 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Quote:
Originally Posted by jonhen View Post
From wireshark:
Code:
"2","2.231526","192.168.1.6","85.214.20.141","DNS","68","Standard query AAAA hostname"
"3","2.276354","85.214.20.141","192.168.1.6","DNS","143","Standard query response, No such name"
"4","2.276566","192.168.1.6","85.214.20.141","DNS","68","Standard query A hostname"
"5","2.321918","85.214.20.141","192.168.1.6","DNS","143","Standard query response, No such name"
Common practice for SOHO LAN machines (behind CPE configured for residential use) is not to resolve any host names themselves but to forward questions to the providers name servers who then do recursion. Your LAN host is asking one name server (specifically the FoeBuD one, mentioned in the CCC DNS HOWTO) to resolve a host name. This means it must have been explicitly configured to send its questions there. Quad A's are IPv6 records meaning the LAN client doesn't have IPv6 disabled.

If you (still?) have your packet capture then simply filter for UDP in Wireshark (or read it with 'tcpdump -r') and it should show you which host names it tries to resolve. That should give you some indication of what's going on.
 
Old 02-20-2013, 11:58 AM   #7
jonhen
LQ Newbie
 
Registered: Feb 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thumbs up Soved

First off, thanks for all the help and suggestions. From all the analysing I came to the conclusion there was nothing basically wrong with my install but that something was trying to get out. This got me looking at my home directory.

What I eventually did in the end was rather less technical but effective nonetheless, I backed up my .mozilla (firefox) profile and my .thunderbird (email) profile and deleted them. The spurious network traffic stopped on deleting the thunderbird profile. So it rather looks like something has crept in to my email profile, I will investigate thunderbird further just in case it's not just the profile.

I thought perhaps I was getting a little paranoid but it does look like something was going on.

Thanks guys.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
No Nameserver found - Nameserver (DNS) failure EPS Linux - Networking 10 01-14-2012 08:11 AM
dns nameserver tkbonito Linux - Networking 3 07-23-2009 05:45 PM
I screwed something on nameserver/dns centosfan Linux - Server 2 01-29-2008 09:27 AM
Not connecting to my DNS nameserver krisprasad Linux - Networking 3 10-30-2004 08:18 AM
Gentoo DNS(nameserver)! Xerop Linux - Networking 3 05-20-2004 06:47 AM


All times are GMT -5. The time now is 10:59 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration