See what process is generating DNS traffic?

[Bruco]

Hello, all.

I have a FreeBSD box sitting at one of my company's locations. It doesn't do much:

It runs a script ever 10 minutes that pings some IPs (not hostnames).

It runs arpwatch (which doesn't see much action, there are rarely new devices plugged into the network).

It runs syslogd and captures syslog output from a Cisco ASA.

The box has a static IP, so I've defined a DNS server (at another site) in /etc/resolv.conf.

The problem I'm having is that when I look at my syslogs from the Cisco ASA, I see that the FreeBSD box is generating thousands and thousands of UDP connections to port 53 on the DNS server. And I do mean thousands.

Now, these are obviously DNS requests of some kind. It's port 53 on a DNS server after all. And if I comment out the DNS server IP in /etc/resolv.conf, the traffic stops.

If I run tcpdump while it's going on I can see the packets. Every other one says something about NXDomain - which if I'm not mistaken has something to do with an invalid domain. So, thousands of invalid domain errors, perhaps?

I won't pretend to be able to fully decipher the output from tcpdump, but if I could at least nail down what it is that's CAUSING the traffic I might start to understand where it's coming from and why!

So, two questions. First, does anyone know what might be causing this traffic? And second, is there a way I can actually determine what process is generating the traffic?

Thanks.

[DutchDaemon]

Is the traffic from your FreeBSD box to the DNS server going through the Cisco? Could it be that the Cisco logs that traffic to the FreeBSD box, which in turn tries to perform a reverse DNS lookup on the syslog connection, causing more traffic to DNS, causing the Cisco to log it, causing .... etc.? This sounds similar to running a tcpdump on port 22 of a server you're ssh'ed into. Does the Cisco IP have an entry in /etc/hosts? That would suppress the DNS lookups. If that's what this is, of course.

[Bruco]

That is an excellent idea. I was thinking about whether or not syslog could be the problem, but the way you've explained it puts my disorganized thoughts in order.

I'll try stopping syslog or adding an entry for the Cisco to /etc/hosts and see if the DNS connections dry up. I'll post results here. Thanks!

[Bruco]

Very good thinking, sir. That appears to be exactly what was going on. Adding an entry for the Cisco device in /etc/hosts causes the endless DNS requests to stop. Thanks very much!

By the way, if anyone else has a similar issue, after adding the entry in /etc/hosts I also had to edit my /etc/syslog.conf to reflect the new hostname of the Cisco devices as opposed to the IP, so that syslogd would continue to accept syslog traffic from it.