Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: Troubleshooting a DNS server
From: Rob Michel <robmichel2854 () gmail com>
Date: Fri, 10 Sep 2010 14:36:34 -0400

I can't think of anything that would detect which process is sending the
traffic...

However your real issue is that you don't want it asking DNS server anymore.
If it's just resolving the same FQDN, just throw that entry into the hosts
file on the server. Otherwise finding the process might be more like playing
detective, what is the delta between the times of the query, what processes
are running, etc. etc.





On Fri, Sep 10, 2010 at 1:26 PM, James Costello <genesiswave () gmail com>wrote:

I'm doing a tcpdump on the DNS server which is how I am getting the server
query information.
Now I am trying to find out what is causing a server that has been update
to point at different servers to continue to query the old servers.

On Fri, Sep 10, 2010 at 12:08 PM, Tim Krabec <tkrabec () gmail com> wrote:

setup verbose logging or do a packet capture & get the IP's from there

  On Fri, Sep 10, 2010 at 12:36 PM, James Costello <genesiswave () gmail com
wrote:

  I am in the process of shutting down an old DNS for my employer
andhave been told that I can't shut it down until it stops getting queried
from other servers.  I am down to a hand full of Linux servers that are
still making a couple of queries per hour apiece.  The servers
/etc/resolv.conf have been updated to point to the new servers but there is
an application or process that is continuing to contact the old servers for
resolution.
I have tried narrowing it down by the query and was able to eliminate a
couple of servers with NTPD running that needed the daemon restarted to
clear the cache, but a few more of the servers are making very general
requests i.e. internaldomain.com.
I am looking at using lsof to query for the service but am not having
much luck at the moment.  Below is the command I am using on the servers
that are making the query:
lsof -i @192.168.1.2 UDP:53 -n -r1

I am not overly familiar with lsof so please provide feedback.
If anyone has a suggestion for an alternate command or utility to use on
a Linux box, I'd be appreciative.
I used TCPView from SysInternals on the Windows boxes to perform this
task but have not found anything to do this other than lsof.  (though that
could be a limitation of the searches I have made on Google).

Thanks,
James

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




--
Tim Krabec
Kracomp
772-597-2349
www.kracomp.com
www.smbminute.com (podcast)
tkrabec.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




-- 

public key ...
http://www.networktime.net/pgp-public.html
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]