Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Here it is the situation , i have a server using static ip and configured to call the dns requests not on my isp dns name server but other on the web .
i installed iftop to monitor connections on server , when i started it i see too much connections to my router gateway ip on port 53 , normally if i was accessing a website then this was a natural procedure , but thew most funny thing is that server is idle , but when i say a lot i mean really a lot of connections to 192.168.1.1:53 .
From the time i wrote this message at least 100 requests were made , and i took 3 minutes to write it .
How can i stop this procedure , or changing the configuration on my server to connect to 192.168.1.1:53 if necessary and not every 1 second ?
This procedure starts and takes 4 minutes without stopping , and then stop for a minute or 2 and then restart again for more 4 minutes .
here it is the thing , netstat is unable to get those requests because they dont stay too much time alive and besides that dns requests are in UDP .
However i was able to capture the packets using tcpdump and this is what i got :
So , as far as i could see , the requests are in transit on my isp router , probably from another router in the same lan , but somehow my email server is receiving the data too .
router.home.domain = My isp router
mail.home = my server
No Scasey , this is just an email server .
My domain reedirects traffic to my server ip .
But the most strange thing is that this is dns requests or anything else that i am not aware .
That log is just a bit of what i post , because instagram is also there in the dump and a lot of other websites that i never connect to them or my server have anything related to them .
I am unable to block port 53 on firewall or server will not work .
here it is the latest dump :
This only happens in received stuff from port 53 on isp router to random ports on mail server , however the mail server does not respond to this stuff , but somehow this dns communications do not appear as established connections because they wont stay alive too much time .
Also in netstat everything is normal . https://pastebin.com/rMSkjJPM
yes , it is necessary because when the server makes a dns request it uses port 53 .
Example :
You write google.com , the dns request opens port 53 to check witch ip have the domain google.com and send it to server .
My server uses amavis , spamassassin witch when an ip connects to email port , then it checks if that ip is ok or not at spamzaus and barracuda servers .
There are a few protections on the server .
Last time i blocked port 53 on the firewall i had issues restarting the network interface .
The big problem here is that i have no idea witch program in server is calling some dns requests .
Exaples from that dump :
Quote:
20:10:50.605679 IP mail.home.20260 > router.home.domain: 16810+ TXT? constantcon tact.com. (37)
In this example the server asks for constantcontact.com !????
Is there any tool in linux similar to netstat where i can grab the service making these connections ?
because some are legit but others i believe they are not .
And i dont have avahi-daemon installed , because if i had it then i believe it would be worst .
I don't see anything unusual here.
You've configured spamassassin to check incoming mail at RBLs...that uses DNS.
It looks like you're doing SPF checks...that uses DNS. Those TXT responses are about SPF checking, mostly.
Are you seeing any performance issues because of these queries? I really don't see anything to be concerned about.
no , there is no perfomance issues , but these dns calls make me crazy because when i am monitoring the server established connections i dont see a reason for those requests .
1 thing is an ip connect to server and then server asks information about that ip reputation .
Other thing is not a single ip connected and the dns requests start all over again .
well i will not put this thread as solved until i first try a few things .
Maybe tommorow i will shutdown all server services and see if this continue .
I am really curious to know from where this came from , and i hardly believe that is related to server services , because some of them uses facebook and instagram and even adobe where none of them are related to ips connecting to the server , or its services .
I`ll be back soon , and in mean while if any of you know any good tool like netstat but to capture udp diagrams and what is the service behind it then let me know , so i can test it here .
it looks that it is really related to spamassassin , however the checks that it is making are not related to emails i probably would receive , mostly because my email is private and only a few subjects have it .
So my guess is that this is spamassassin updating its rules or whatever .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.