HPE Community
Operating System - HP-UX
1834171 Members
2602 Online
110064 Solutions
New Discussion

port scanner?

 
Jason Wagner
Occasional Contributor

‎04-18-2003 07:37 AM

‎04-18-2003 07:37 AM

port scanner?

We migrated from one windows DNS server to another more than 6 months ago. Should be a very simple /etc/resolv.conf change right?

Sort of. ALL nslookup requests, and most DNS traffic is going to the new DNS server. However, The old DNS servers are still seeing traffic. I have been doing some packet sniffing and can see Standard queries happening on the OLD server. Gotta be that the old server is cached by some of the processes running. So the question is, How the heck can I find out which processes have the old DNS info cached. LSOF just doesn't seem to be fast enough ( the socket closes faster than the program can run ) Is there some sort of real-time LSOF program?

"The sign said install windows 95 or better, so I installed Linux"
0 Kudos
Reply
11 REPLIES 11
Patrick Wallek
Honored Contributor

‎04-18-2003 07:43 AM

‎04-18-2003 07:43 AM

Re: port scanner?

I know of no way to check the actual processes to see which DNS server they are using.

Can you just turn the old DNS server off and see what fails? I know that's not elegant, but I can't think of much else to try.
0 Kudos
Reply
Paddy_1
Valued Contributor

‎04-18-2003 08:04 AM

‎04-18-2003 08:04 AM

Re: port scanner?

I would use the tool "dig" for this kind of debugging.Monitor the external link for port 53
you must also think of time to live(TTL) of the queries which might have effect on stale caches.
I know that we now have control of TTL from bind8 which we lacked before.
I suggest reading DNS and BIND book
http://www.oreilly.com/catalog/dns4/toc.html
or the DNS-Howto that comes with Bind
The sufficiency of my merit is to know that my merit is NOT sufficient
0 Kudos
Reply
Paddy_1
Valued Contributor

‎04-18-2003 08:09 AM

‎04-18-2003 08:09 AM

Re: port scanner?

Sorry..To answer our port scanner question the best one around is "nMap".
http://www.insecure.org/nmap/nmap_download.html

Or else you might also want to try "tcpdump" and "snoop"
The sufficiency of my merit is to know that my merit is NOT sufficient
0 Kudos
Reply
Wodisch
Honored Contributor

‎04-18-2003 04:21 PM

‎04-18-2003 04:21 PM

Re: port scanner?

Hi,

why not simply install "IPFilter/9000" on that *old* DNS server of yours, and have it log all traffic to port 53?
Both transport protocols, TCP *and* UDP, of course, as DNS clients use UDP, but other DNS servers use TCP for zone-transfers...

FWIW,
Wodisch
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎04-18-2003 05:16 PM

‎04-18-2003 05:16 PM

Re: port scanner?

Hi Jason,

Ummmm...couple of obvious questions...

1) Do you know - for a fact - that ALL clients have the new as primary?

2) Have ALL clients rebooted since the new came in? Since we don't know just *what* type ALL the clients are - caching is certainly possible. But we all know that they wouldn't be HP. So lookup the the client hostnames on the sniffees.

My $0.02,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎04-18-2003 05:45 PM

‎04-18-2003 05:45 PM

Re: port scanner?

Why not put lsof into repeat mode?

Use +|-r [t]

Where - = endless & + = stop at no lists. And t = delay in seconds. Set t=1 & let her rip..you're bound to hit it eventually.

So lsof -r 1 .... *ought* to catch it.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
John Poff
Honored Contributor

‎04-18-2003 05:49 PM

‎04-18-2003 05:49 PM

Re: port scanner?

Hi,

Can I ask a stupid question? Doesn't the sniffer tell you the originator of the packet? Wouldn't that be a big hint as to which machines are querying the old DNS server?

If everything is supposed to point to the new DNS server, try shutting down the old DNS server. You'll quickly find out which boxes were pointed to it.

Another stupid question. The new DNS server isn't pointing to the old one, is it?

JP
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎04-18-2003 06:33 PM

‎04-18-2003 06:33 PM

Re: port scanner?

Hi,

i agree with john . OLD DNS server information will not cached by local processes. But some resolvers support negative caching . ( Caching of non-existent replies ) which will not come in to picture in our case.


The real records are cached by other DNS servers or slave DNS servers . So if the clients querying the other DNS servers for records of your domain . Then those servers will return the OLD NS records of your domain from its cache ( memory ).

Idea to overcome this problem
Case 1:
You have slave servers:

Increment the serial number of the master DNS server when you make any change so that slave will update its zone .

Case 2:
you have other DNS servers:

Just restart the DNS service which will purge the cache and will force to look for fresh records

regards,

U.SivaKumar
Innovations are made when conventions are broken
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎04-18-2003 06:33 PM

‎04-18-2003 06:33 PM

Re: port scanner?

Hi,

i agree with john . OLD DNS server information will not cached by local processes. But some resolvers support negative caching . ( Caching of non-existent replies ) which will not come in to picture in our case.


The real records are cached by other DNS servers or slave DNS servers . So if the clients querying the other DNS servers for records of your domain . Then those servers will return the OLD NS records of your domain from its cache ( memory ).

Idea to overcome this problem
Case 1:
You have slave servers:

Increment the serial number of the master DNS server when you make any change so that slave will update its zone .

Case 2:
you have other DNS servers:

Just restart the DNS service in all other DNS servers in your network, which will purge the cache and will force to look for fresh records

regards,

U.SivaKumar
Innovations are made when conventions are broken
0 Kudos
Reply
curt larson_1
Honored Contributor

‎04-18-2003 07:35 PM

‎04-18-2003 07:35 PM

Re: port scanner?

Don't know what the capabilities your your old DNS server is, but if it supports debugging or the boot file directive query-log you should be able to start up dns with the appropriate configuration and just look in the dns log file to see where the queries are coming from.
0 Kudos
Reply
Jason Wagner
Occasional Contributor

‎04-21-2003 07:45 AM

‎04-21-2003 07:45 AM

Re: port scanner?

Let me try and answer some of these questions.

I know that packets are being sent from a specific host to an Old DNS server. The only change I made, was to replace the old server's ip address with the new server in /etc/resolv.conf. I have confirmed this change many times now. an "nslookup" command tells you it will perform queries on the new server. The DNS servers in question are Windows. ( yeah i know, out of my control. )

Also, System has not been rebooted ( Downtime doesn't happen around here )

I *know* that the swagentd was one of the processes that "cached" the old DNS server, when i started swinstall, i got a flurry of packets to the old dns server. After i did an swagentd -r, they went to the new server.

So, I know that packets are coming from my UNIX client, but I still can't figure out what process is doing it. I will try some of the suggestions made here, including the lsof infinite loop. again, my trouble is, the socket closes so fast, lsof is not detecting it.

Somebody on-site suggested that glance might be of some help here. Are there any glance gurus in here?
"The sign said install windows 95 or better, so I installed Linux"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.