1823729
Members
3012
Online
109664
Solutions
SOLVED
Hi mate,
The source and destination IP addresses are 127.0.0.1, which means the packet originated on the local host and it was trying to contact a port on the local host. In other words, this is loopback traffic on the local system.
The source port is 60838, which is just a randomly assigned port in the anonymous port range. The destination port is 53, which means DNS.
So, what does all this mean? It would indicate to me that you've got some process running on your system that is trying to contact a DNS server on the local system (at port 53) and since your system is obviously not a DNS server it returns an ICMP Destination Unreachable because there is no process listening on port 53.
Did you intend to make the local system a DNS server? Does your /etc/resolv.conf point to the local system as being a DNS server? Does your /etc/nsswitch.conf file say to use DNS to resolve hostnames and IP addresses? If so your /etc/resolv.conf file should be pointing to a valid DNS server.
The fact that you're getting thousands of these means some process is trying to contact a DNS server frequently. Are they all from the same source port of 60838? If so, I'd grab a copy of lsof and determine which process is using port 60838 and that will tell you the process that is causing these ICMP messages. Once you know which process is sending requests to port 53 you might be able to configure it to stop doing so.
Hope this helps,
Dave
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
The source and destination IP addresses are 127.0.0.1, which means the packet originated on the local host and it was trying to contact a port on the local host. In other words, this is loopback traffic on the local system.
The source port is 60838, which is just a randomly assigned port in the anonymous port range. The destination port is 53, which means DNS.
So, what does all this mean? It would indicate to me that you've got some process running on your system that is trying to contact a DNS server on the local system (at port 53) and since your system is obviously not a DNS server it returns an ICMP Destination Unreachable because there is no process listening on port 53.
Did you intend to make the local system a DNS server? Does your /etc/resolv.conf point to the local system as being a DNS server? Does your /etc/nsswitch.conf file say to use DNS to resolve hostnames and IP addresses? If so your /etc/resolv.conf file should be pointing to a valid DNS server.
The fact that you're getting thousands of these means some process is trying to contact a DNS server frequently. Are they all from the same source port of 60838? If so, I'd grab a copy of lsof and determine which process is using port 60838 and that will tell you the process that is causing these ICMP messages. Once you know which process is sending requests to port 53 you might be able to configure it to stop doing so.
Hope this helps,
Dave
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Why is this a ping on port 53?
A ping is an ICMP Echo Request/Reply. This above error is an ICMP Destination Unreachable caused by a packet being sent to a port that no process is listening on. This doesn't mean the ping program was used, it could be any application trying to send data to port 53, which is why it's important to figure out which application is using port 60838 in the above error.
If you can figure out which application is sending the packets you can figure out why.
Regards,
Dave
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
A ping is an ICMP Echo Request/Reply. This above error is an ICMP Destination Unreachable caused by a packet being sent to a port that no process is listening on. This doesn't mean the ping program was used, it could be any application trying to send data to port 53, which is why it's important to figure out which application is using port 60838 in the above error.
If you can figure out which application is sending the packets you can figure out why.
Regards,
Dave
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Since the source port numbers are changing rapidly, I highly doubt you're going to find them in the /etc/services file unless the process just happens to get an anonymous port assignment that "belongs" to a well-known service in /etc/services (i.e. there is nothing that stops one program from grabbing the port number of someone else's port assigned in /etc/services as long as it is not currently in use).
Do the changing port numbers mean this is multiple processes? Not necessarily. It could be a single process that is either launching threads to do the DNS queries or a process that calls fork/vfork to create a child process to do the DNS query.
In any case, I still recommend using lsof to try to determine who is sending these DNS requests to local port 53.
I'm not an lsof power user, so someone else might have a better idea for syntax, but looking at the lsof(8) man page, I think you'd want to use the "-i" and "-P" options to have lsof gather information about open IPV4 "network files" (i.e. connections) and to print their numerical names instead of a resolved name from /etc/services. I'd suggest collecting a few lsof runs at the same time as the icmpinfo command is gathering the ICMP Dest Unreachable messages.
Once you have a few lsof runs collected during the same time as some ICMP errors are logged you will hopefully be able to search the lsof output for the source port numbers in the ICMP messages and figure out which process is sending to port 53.
Good luck, and please let us know if you're able to identify the offending process.
Dave
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Do the changing port numbers mean this is multiple processes? Not necessarily. It could be a single process that is either launching threads to do the DNS queries or a process that calls fork/vfork to create a child process to do the DNS query.
In any case, I still recommend using lsof to try to determine who is sending these DNS requests to local port 53.
I'm not an lsof power user, so someone else might have a better idea for syntax, but looking at the lsof(8) man page, I think you'd want to use the "-i" and "-P" options to have lsof gather information about open IPV4 "network files" (i.e. connections) and to print their numerical names instead of a resolved name from /etc/services. I'd suggest collecting a few lsof runs at the same time as the icmpinfo command is gathering the ICMP Dest Unreachable messages.
Once you have a few lsof runs collected during the same time as some ICMP errors are logged you will hopefully be able to search the lsof output for the source port numbers in the ICMP messages and figure out which process is sending to port 53.
Good luck, and please let us know if you're able to identify the offending process.
Dave
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
