Showing results for 
Search instead for 
Did you mean: 

Traffic to old DNS servers after changing /etc/resolv.conf

Go to solution
Honored Contributor

Traffic to old DNS servers after changing /etc/resolv.conf



We have recently changed our /etc/resolv.conf, primary and secondary dns servers, on several hp-ux 11.11 boxes.


Almost all trafic goes to the new DNS servers, but with tcpdump I can still see some DNS querys going to the old DNS servers that have been removed from the /etc/resolv.conf,  the resolver library does in effect "cache" the settings in /etc/resolv.conf as it only reads the file once in the life of a process. So I'm suere there are some processes that must be restarted to have them see the new IPs you have placed in /etc/resolv.conf.


The problems is how to find out wich processes are generating the trafic, I can only see 32 querys in 24 hours, so they shoulnd't be many.


I have tried with tcpdump, and using lsof -i udp , then compair client source port from the dns query in tcpdump, with the lsof port/pid relation, but haven't been able to catch it, it has to coincide..


Any of you have a better idea how to find out who is it using the old dns servers?



Windows?, no thanks
Honored Contributor

Re: Traffic to old DNS servers after changing /etc/resolv.conf

The problem is that most ordinary DNS queries use UDP, and the UDP sockets generated by the resolver library only exist for a very short time.TCP is only used if the answer is too big for a single UDP packet.


So unless you run your lsof at exactly at the time an application has sent a request and is waiting for an answer, you aren't likely to find any matches at all.


After you change /etc/resolv.conf, you must restart all processes that use DNS in any way. It's usually easier to restart everything, just to be safe... and when you have to do that, a reboot might be the simplest way to do it.


If a restart/reboot is not possible, you might configure the old DNS server to log all incoming requests, then look at what is being requested and think about what application or process would require that information.


Of course, there is always the hard way: just disable the old DNS server (or even make it return easily-identifiable invalid data) and wait and see what breaks. Just make sure you can re-enable it quickly if necessary.


(I have had to use this method distressingly often when shutting down old sparsely-documented servers whose original admins and/or users are no longer with the organization.)

Honored Contributor

Re: Traffic to old DNS servers after changing /etc/resolv.conf

Thanks Matty,


Yes, in the end with the -S in tcpdump, I could see what dns names were being searched, they where only 2 of them, One took me to the tibco hawk agent process wich they restarted, and the other one I couldn't track down I added temporarly the hostname that was being queryd to /etc/hosts, until we have a window to reboot the server.


No more traffic to the old DNS servers at the moment

Windows?, no thanks