Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have 4 computers all using Ubuntu 12.04 all set up similarly but one of them is continuously calling the DNS nameserver every 10 or 20 seconds (not sure from the logs) but the network monitor is showing activity in/out every 10. Syslog says 20 and that it is a kernel notification.
I've tried blocking it with ufw but that hasn't given me any clue. Wireshark shows the source as IntelCor_<hex> and comparing it with the other 3 computers hasn't helped. Looking at running processes with top hasn't helped either.
Anybody have any other ideas before I rebuild this one?
Thanks for the suggestion. Tried that but it didn't tell me anything new. I know it's going out to port 53 on the nameserver which I have listed in resolv.conf (the 3 other computers are set up this way and don't do this). If I block the calls with ufw it lists the protocol as ICMP in the syslog. Just knowing what is initiating the calls would be halfway to solving it.
I noticed while checking with top in the command column http was listed which it isn't in the other computers.
continuously calling the DNS nameserver every 10 or 20 seconds
What is the actual host name the machine looks up continuously? (Since the machine as you say continuously calls the name server you could also tally requests by running 'dnstop' on the name server if you have access to it.)
Quote:
Originally Posted by jonhen
I know it's going out to port 53 on the nameserver which I have listed in resolv.conf (the 3 other computers are set up this way and don't do this). If I block the calls with ufw it lists the protocol as ICMP in the syslog.
That does not make any sense at all. Please post output.
Quote:
Originally Posted by jonhen
Just knowing what is initiating the calls would be halfway to solving it.
Netfilter allows you to filter traffic by UID using the "owner" module. Example here. If the machine runs the audit service check this.
Quote:
Originally Posted by jonhen
I noticed while checking with top in the command column http was listed which it isn't in the other computers.
Is it "http" or "httpd"? Anyway, just list what it does:
Code:
pgrep httpd|xargs -iX lsof -Pwlnp 'X' -a -i
# or
netstat -antupe | egrep "($(pgrep httpd -d "|"))"
Last edited by unSpawn; 02-19-2013 at 07:19 AM.
Reason: //More *is* more
"2","2.231526","192.168.1.6","85.214.20.141","DNS","68","Standard query AAAA hostname"
"3","2.276354","85.214.20.141","192.168.1.6","DNS","143","Standard query response, No such name"
"4","2.276566","192.168.1.6","85.214.20.141","DNS","68","Standard query A hostname"
"5","2.321918","85.214.20.141","192.168.1.6","DNS","143","Standard query response, No such name"
From syslog with all outgoing blocked by the firewall:
Not sure when I saw it as ICMP so best ignore that for now. You're quite right that doesn't make any sense.
Looking at running processes with top it was http I saw periodically, anyway neither pgrep nor netstat produce any output, http may have nothing to do with this, I don't know.
I'll check out netfilter and post any useful findings.
"2","2.231526","192.168.1.6","85.214.20.141","DNS","68","Standard query AAAA hostname"
"3","2.276354","85.214.20.141","192.168.1.6","DNS","143","Standard query response, No such name"
"4","2.276566","192.168.1.6","85.214.20.141","DNS","68","Standard query A hostname"
"5","2.321918","85.214.20.141","192.168.1.6","DNS","143","Standard query response, No such name"
Common practice for SOHO LAN machines (behind CPE configured for residential use) is not to resolve any host names themselves but to forward questions to the providers name servers who then do recursion. Your LAN host is asking one name server (specifically the FoeBuD one, mentioned in the CCC DNS HOWTO) to resolve a host name. This means it must have been explicitly configured to send its questions there. Quad A's are IPv6 records meaning the LAN client doesn't have IPv6 disabled.
If you (still?) have your packet capture then simply filter for UDP in Wireshark (or read it with 'tcpdump -r') and it should show you which host names it tries to resolve. That should give you some indication of what's going on.
First off, thanks for all the help and suggestions. From all the analysing I came to the conclusion there was nothing basically wrong with my install but that something was trying to get out. This got me looking at my home directory.
What I eventually did in the end was rather less technical but effective nonetheless, I backed up my .mozilla (firefox) profile and my .thunderbird (email) profile and deleted them. The spurious network traffic stopped on deleting the thunderbird profile. So it rather looks like something has crept in to my email profile, I will investigate thunderbird further just in case it's not just the profile.
I thought perhaps I was getting a little paranoid but it does look like something was going on.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.