How can I determine which application is sending DNS queries to my Bind server?

Question

I'm trying to figure out how one would go about determining which application on my Linux box is sending a particular DNS query to my Bind server. I've been toying with the following command:

$ tshark -i wlan0 -nn -e ip.src -e dns.qry.name -E separator=";" -T fields port 53
192.168.1.20;ajax.googleapis.com
192.168.1.101;ajax.googleapis.com
192.168.1.20;pop.bizmail.yahoo.com

How can I get this to show me the actual application (port and possibly PID)?

Accepted Answer

With normal packet captures there is no way of identifying the application or PID from the packets, because all you can see is what port the packet was sent from.

If you capture on a host that is doing the communication you could try to use the Hone Project to get that kind of information. On Windows, Network Monitor can do the same.

Otherwise you could try to use netstat on the box that does the name resolution and match it to the port numbers the DNS query uses, but since it is a UDP communication the port is open and closed almost instantly - so chances to do the netstat just in that millisecond where it is open is going to be like trying to win the lottery.

Answer 2

I'm on Fedora. Can you explain how to do this a bit?

First install systemtap

https://sourceware.org/systemtap/wiki/SystemtapOnFedora

Then, if you kernel supports CONFIG_UTRACE, you can run the following script

#!/usr/bin/env stap
probe process("/lib/x86_64-linux-gnu/libc.so.6").function("gethostbyname").call {
log(user_string($name)) }

Please replace the path of libc with the one on your system!!

Regards
Kurt