This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I determine which application is sending DNS queries to my Bind server?

0
1

I'm trying to figure out how one would go about determining which application on my Linux box is sending a particular DNS query to my Bind server. I've been toying with the following command:

$ tshark -i wlan0 -nn -e ip.src -e dns.qry.name -E separator=";" -T fields port 53
192.168.1.20;ajax.googleapis.com
192.168.1.101;ajax.googleapis.com
192.168.1.20;pop.bizmail.yahoo.com

How can I get this to show me the actual application (port and possibly PID)?

asked 18 Oct '13, 08:41

slm's gravatar image

slm
21135
accept rate: 0%

on my Linux box

what is your distribution and release? Depending on the kernel you are using, you could try to use Systemtap to trace gethostbyname().

(18 Oct '13, 10:41) Kurt Knochner ♦

I'm on Fedora. Can you explain how to do this a bit?

(18 Oct '13, 19:52) slm

2 Answers:

2

With normal packet captures there is no way of identifying the application or PID from the packets, because all you can see is what port the packet was sent from.

If you capture on a host that is doing the communication you could try to use the Hone Project to get that kind of information. On Windows, Network Monitor can do the same.

Otherwise you could try to use netstat on the box that does the name resolution and match it to the port numbers the DNS query uses, but since it is a UDP communication the port is open and closed almost instantly - so chances to do the netstat just in that millisecond where it is open is going to be like trying to win the lottery.

answered 18 Oct '13, 08:53

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

1

I'm on Fedora. Can you explain how to do this a bit?

First install systemtap

https://sourceware.org/systemtap/wiki/SystemtapOnFedora

Then, if you kernel supports CONFIG_UTRACE, you can run the following script

#!/usr/bin/env stap

probe process("/lib/x86_64-linux-gnu/libc.so.6").function("gethostbyname").call { log(user_string($name)) }

Please replace the path of libc with the one on your system!!

Regards
Kurt

answered 21 Oct ‘13, 03:45

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%