• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 349
  • Last Modified:

Repeated DNS Lookups

Hi,

Our server has decided to repeatedly perform the same DNS lookups around 3 to 4 times a minute.

Is there any way we can find out what process is causing it?
Each repetition starts with:- a lookup like this: PTR? 51.226.222.82in-addr.arpa

short tcpdump attached  
22:08:32.862201 IP server.ourcompanydomain.com.49008 > google-public-dns-a.google.com.domain:  10565+ PTR? 99.241.222.82in-addr.arpa. (44)
22:08:32.872245 IP server.ourcompanydomain.com.49287 > google-public-dns-a.google.com.domain:  35488+ PTR? 51.226.222.82in-addr.arpa. (44)
22:08:32.881063 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.49287:  35488 1/0/0 (86)
22:08:32.881329 IP server.ourcompanydomain.com.33402 > google-public-dns-a.google.com.domain:  49869+ A? ns6.ourcompanydomain.com. (46)
22:08:32.890107 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.33402:  49869 1/0/0 (62)
22:08:32.891078 IP server.ourcompanydomain.com.38160 > google-public-dns-a.google.com.domain:  23302+ AAAA? ns6.ourcompanydomain.com. (46)
22:08:32.899668 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.38160:  23302 0/1/0 (97)
22:08:32.899786 IP server.ourcompanydomain.com.32947 > google-public-dns-a.google.com.domain:  41502+[|domain]
22:08:32.909239 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.32947:  41502[|domain]
22:08:32.909304 IP server.ourcompanydomain.com.60212 > google-public-dns-a.google.com.domain:  55993+ A? ns6.ourcompanydomain.com. (46)
22:08:32.917259 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.49008:  10565 1/0/0 (79)
22:08:32.918256 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.60212:  55993 1/0/0 (62)
22:08:32.918870 IP server.ourcompanydomain.com.34852 > google-public-dns-a.google.com.domain:  811+ AAAA? ns6.ourcompanydomain.com. (46)
22:08:32.927849 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.34852:  811 0/1/0 (97)
22:08:32.927967 IP server.ourcompanydomain.com.57220 > google-public-dns-a.google.com.domain:  17058+[|domain]
22:08:32.936423 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.57220:  17058[|domain]
22:08:32.936570 IP server.ourcompanydomain.com.46430 > google-public-dns-a.google.com.domain:  46123+ A? ns6.ourcompanydomain.com. (46)
22:08:32.945390 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.46430:  46123 1/0/0 (62)
22:08:32.952136 IP server.ourcompanydomain.com.40986 > google-public-dns-a.google.com.domain:  14476+ AAAA? ns6.ourcompanydomain.com. (46)
22:08:32.960893 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.40986:  14476 0/1/0 (97)
22:08:32.961076 IP server.ourcompanydomain.com.43250 > google-public-dns-a.google.com.domain:  6720+[|domain]
22:08:32.970098 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.43250:  6720[|domain]
22:08:32.970325 IP server.ourcompanydomain.com.37095 > google-public-dns-a.google.com.domain:  2668+ A? ns6.ourcompanydomain.com. (46)
22:08:32.979006 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.37095:  2668 1/0/0 (62)
22:08:32.981071 IP server.ourcompanydomain.com.50771 > google-public-dns-a.google.com.domain:  23594+ AAAA? ns6.ourcompanydomain.com. (46)
22:08:32.989831 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.50771:  23594 0/1/0 (97)
22:08:32.989960 IP server.ourcompanydomain.com.46656 > google-public-dns-a.google.com.domain:  21531+[|domain]
22:08:32.998839 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.46656:  21531[|domain]
22:08:32.999013 IP server.ourcompanydomain.com.33260 > google-public-dns-a.google.com.domain:  57231+ A? ns6.ourcompanydomain.com. (46)
22:08:33.007647 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.33260:  57231 1/0/0 (62)
22:08:33.102320 IP server.ourcompanydomain.com.55377 > google-public-dns-a.google.com.domain:  30604+ AAAA? ns6.ourcompanydomain.com. (46)
22:08:33.111143 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.55377:  30604 0/1/0 (97)
22:08:33.111648 IP server.ourcompanydomain.com.55238 > google-public-dns-a.google.com.domain:  27717+[|domain]
22:08:33.120517 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.55238:  27717[|domain]
22:08:33.121083 IP server.ourcompanydomain.com.55073 > google-public-dns-a.google.com.domain:  64828+ A? ns6.ourcompanydomain.com. (46)
22:08:33.129867 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.55073:  64828 1/0/0 (62)
22:08:33.132621 IP server.ourcompanydomain.com.53959 > google-public-dns-a.google.com.domain:  29273+ AAAA? ns6.ourcompanydomain.com. (46)
22:08:33.141318 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.53959:  29273 0/1/0 (97)
22:08:33.141634 IP server.ourcompanydomain.com.43931 > google-public-dns-a.google.com.domain:  16976+[|domain]
22:08:33.150506 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.43931:  16976[|domain]
22:08:33.150616 IP server.ourcompanydomain.com.36416 > google-public-dns-a.google.com.domain:  30729+ A? ns6.ourcompanydomain.com. (46)
22:08:33.159233 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.36416:  30729 1/0/0 (62)
22:08:33.823746 IP server.ourcompanydomain.com.35591 > google-public-dns-a.google.com.domain:  4441+ AAAA? ns6.ourcompanydomain.com. (46)
22:08:33.832507 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.35591:  4441 0/1/0 (97)
22:08:33.832649 IP server.ourcompanydomain.com.41318 > google-public-dns-a.google.com.domain:  20903+[|domain]
22:08:33.841345 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.41318:  20903[|domain]
22:08:33.841434 IP server.ourcompanydomain.com.53341 > google-public-dns-a.google.com.domain:  51016+ A? ns6.ourcompanydomain.com. (46)
22:08:33.850045 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.53341:  51016 1/0/0 (62)
22:08:33.850892 IP server.ourcompanydomain.com.35706 > google-public-dns-a.google.com.domain:  45167+ AAAA? ns6.ourcompanydomain.com. (46)
22:08:33.859739 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.35706:  45167 0/1/0 (97)
22:08:33.859841 IP server.ourcompanydomain.com.39210 > google-public-dns-a.google.com.domain:  9778+[|domain]
22:08:33.868517 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.39210:  9778[|domain]
22:08:33.868599 IP server.ourcompanydomain.com.37423 > google-public-dns-a.google.com.domain:  34865+ A? ns6.ourcompanydomain.com. (46)
22:08:33.877338 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.37423:  34865 1/0/0 (62)
22:08:34.443697 arp who-has 82.222.226.1 tell 82.222.226.213
22:08:34.443970 IP server.ourcompanydomain.com.48414 > google-public-dns-a.google.com.domain:  34646+ PTR? 1.226.222.82in-addr.arpa. (43)
22:08:34.464245 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.48414:  34646 NXDomain 0/1/0 (111)
22:08:34.464372 IP server.ourcompanydomain.com.43581 > google-public-dns-a.google.com.domain:  51865+ PTR? 213.226.222.82in-addr.arpa. (45)
22:08:34.497330 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.43581:  51865 NXDomain 0/1/0 (113)
22:08:34.907745 arp who-has 46.20.121.77 tell 46.20.121.2
22:08:34.908054 IP server.ourcompanydomain.com.49962 > google-public-dns-a.google.com.domain:  28437+ PTR? 77.121.20.46.in-addr.arpa. (43)
22:08:34.953346 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.49962:  28437 NXDomain 0/1/0 (117)
22:08:34.953576 IP server.ourcompanydomain.com.37039 > google-public-dns-a.google.com.domain:  11830+ PTR? 2.121.20.46.in-addr.arpa. (42)
22:08:34.995004 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.37039:  11830 NXDomain 0/1/0 (116)
22:08:35.678917 arp who-has 82.222.226.249 tell 82.222.226.3
22:08:35.679233 IP server.ourcompanydomain.com.57029 > google-public-dns-a.google.com.domain:  1121+ PTR? 249.226.222.82in-addr.arpa. (45)
22:08:35.716878 IP google-public-dns-a.google.com.domain > server.ourcompanydomain.com.57029:  1121 NXDomain 0/1/0 (113)

Open in new window


Thanks
Dan
0
DanJourno
Asked:
DanJourno
  • 2
1 Solution
 
farzanjCommented:
You need to figure out the process that is doing it. Perhaps a script or job running or may be scheduled cron job.

use ps command to see all the processes

ps -ef

Examine all the processes and see if you can find a suspected one
0
 
xtermCommented:
Is server.ourcompanydomain.com running web, FTP, mail, etc.?

If so, every incoming connection will result in a inverse lookup of the IP that the connection came from.

So if your IP is 1.2.3.4 and say you go to http://server.ourcompanydomain.com/, then you should see an immediate PTR lookup of 4.3.2.1.in-addr.arpa, which is just a normal client inverse lookup.

And you should be able to match these DNS lookups up with whatever service is running on your server by looking at the respective logs (mail, web, ftp, whatever - all of these services will initiate reverse lookups on the connecting IP addresses)
0
 
DanJournoAuthor Commented:
xterm, i didnt realise that in the PTR lookup, the IP is reversed. 4.3.2.1 is our other server. our other server establishes an SSH connection every 30 seconds to collect some data.

is there any way of supply the reverse lookup info to prevent the lookup being performed? would just like to reduce bandwidth.
0
 
xtermCommented:
The traffic is miniscule udp packets - they will not affect bandwidth on your network.  

Services that can permit or deny connecting clients either by hostname or by IP address such as sshd HAVE to perform these lookups - it's endemic to the way they operate.

On the other hand, on very busy services (such as a high traffic web server) the lookups on every connecting host actually could be quite costly.  In these circumstances, you can actually disable them most of the time.  For instance in Apache, you set "HostnameLookups Off" and it won't try to resolve the IP addresses of connecting clients.  The downside to that of course is that your logs only contain numerical visitor information, so your statistics gathering isn't quite as informational.

The main point is not to mess with these unless you have a source of a high volume of lookups that you don't need to see.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now