LinuxQuestions.org - Application to DNS query mapping

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Application to DNS query mapping (https://www.linuxquestions.org/questions/linux-security-4/application-to-dns-query-mapping-4175493851/)

walter24

02-05-2014 03:30 PM

Application to DNS query mapping

Is there any way(application or command) that I can use to find out what application is sending out DNS queries from my computer.

Habitual

02-06-2014 08:48 AM

tcpdump <options> and port 53
or if you're new to the process, http://www.cyberciti.biz/faq/how-to-...p-dns-traffic/

unSpawn

02-06-2014 01:53 PM

...or

Code:

iptables -t filter -I OUTPUT 1 -m tcp -p tcp -m conntrack --ctstate NEW --dport 53 -j LOG --log-prefix "DNS_TCP_req "

iptables -t filter -I OUTPUT 2 -m udp -p udp -m conntrack --ctstate NEW --dport 53 -j LOG --log-prefix "DNS_UDP_req "

but do note this and standard system tools will tell you what kind of traffic you're sending but not what application. Should you have the audit service then these two rules* should work:

Code:

auditctl -a exit,always -F a0=2 -F a1=2 -S socket -k DNS_UDP_req

auditctl -a exit,always -F a0=2 -F a1=2 -S socket -k DNS_TCP_req

salasi

02-06-2014 07:28 PM

Something which doesn't quite do what you are asking for is 'dnstop'. (Obviously) It is one of the top-style utils that basically does the data-capture-and-slightly-analyse thing, as per tcpdump/wireshark, but specifically set up for DNS packets. Now this may be easier to get to grips with than using, eg, wireshark and setting up filters that home in on the data that you want (not that this would actually be difficult), but it doesn't really give you any more information.

In particular, it doesn't give you much about what sent it, but does help with what happened subsequently. And it would help if you wanted to know something about how frequently packets were being sent. Sorry.

All times are GMT -5. The time now is 05:23 PM.