DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 1st July 2009
Bruco Bruco is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Kalamazoo, MI, USA
Posts: 61
Thanked 1 Time in 1 Post
Default See what process is generating DNS traffic?

Hello, all.

I have a FreeBSD box sitting at one of my company's locations. It doesn't do much:

It runs a script ever 10 minutes that pings some IPs (not hostnames).

It runs arpwatch (which doesn't see much action, there are rarely new devices plugged into the network).

It runs syslogd and captures syslog output from a Cisco ASA.

The box has a static IP, so I've defined a DNS server (at another site) in /etc/resolv.conf.

The problem I'm having is that when I look at my syslogs from the Cisco ASA, I see that the FreeBSD box is generating thousands and thousands of UDP connections to port 53 on the DNS server. And I do mean thousands.

Now, these are obviously DNS requests of some kind. It's port 53 on a DNS server after all. And if I comment out the DNS server IP in /etc/resolv.conf, the traffic stops.

If I run tcpdump while it's going on I can see the packets. Every other one says something about NXDomain - which if I'm not mistaken has something to do with an invalid domain. So, thousands of invalid domain errors, perhaps?

I won't pretend to be able to fully decipher the output from tcpdump, but if I could at least nail down what it is that's CAUSING the traffic I might start to understand where it's coming from and why!

So, two questions. First, does anyone know what might be causing this traffic? And second, is there a way I can actually determine what process is generating the traffic?

Thanks.
Reply With Quote
  #2   (View Single Post)  
Old 1st July 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

Is the traffic from your FreeBSD box to the DNS server going through the Cisco? Could it be that the Cisco logs that traffic to the FreeBSD box, which in turn tries to perform a reverse DNS lookup on the syslog connection, causing more traffic to DNS, causing the Cisco to log it, causing .... etc.? This sounds similar to running a tcpdump on port 22 of a server you're ssh'ed into. Does the Cisco IP have an entry in /etc/hosts? That would suppress the DNS lookups. If that's what this is, of course.
Reply With Quote
  #3   (View Single Post)  
Old 2nd July 2009
Bruco Bruco is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Kalamazoo, MI, USA
Posts: 61
Thanked 1 Time in 1 Post
Default

That is an excellent idea. I was thinking about whether or not syslog could be the problem, but the way you've explained it puts my disorganized thoughts in order.

I'll try stopping syslog or adding an entry for the Cisco to /etc/hosts and see if the DNS connections dry up. I'll post results here. Thanks!
Reply With Quote
  #4   (View Single Post)  
Old 2nd July 2009
Bruco Bruco is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Kalamazoo, MI, USA
Posts: 61
Thanked 1 Time in 1 Post
Default

Very good thinking, sir. That appears to be exactly what was going on. Adding an entry for the Cisco device in /etc/hosts causes the endless DNS requests to stop. Thanks very much!

By the way, if anyone else has a similar issue, after adding the entry in /etc/hosts I also had to edit my /etc/syslog.conf to reflect the new hostname of the Cisco devices as opposed to the IP, so that syslogd would continue to accept syslog traffic from it.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Generating passwords with jot(1) J65nko Guides 9 3 Weeks Ago 01:03 PM
shell script-start another process bsdnewbie999 Programming 2 23rd April 2009 07:48 PM
PF Blocking VPN Traffic plexter OpenBSD Security 6 23rd January 2009 05:25 PM
Daemon Process not starting on boot map7 FreeBSD General 4 11th September 2008 04:24 PM
Generating random passwords on FreeBSD erno Guides 3 8th May 2008 08:44 AM


All times are GMT. The time now is 02:11 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick