HPE Community
Operating System - HP-UX
1837800 Members
10931 Online
110120 Solutions
New Discussion

What is causing a reverse lookup for our dns servers ip address?

 
J Bartram
Occasional Advisor

‎11-12-2009 01:54 AM

‎11-12-2009 01:54 AM

What is causing a reverse lookup for our dns servers ip address?

All,
We have had complaints that our HP-UX 11.23 rx2620 is generating a lot of DNS traffic.

I eliminated most by adding the nwswitch.conf to use the hosts file before dns but the following traffic remains constant.

10.53.111.196 is our HP box
10.225.32.21 is the dns server.

Is there any way to identify which process is triggering this?

# tcpdump -nS -ni lan0 udp port 53

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on lan0, link-type EN10MB (Ethernet), capture size 96 bytes

17:46:15.576111 IP 10.225.32.21.53 > 10.53.111.196.56403: 10761* 1/0/0 (81)

17:46:15.638589 IP 10.225.32.21.53 > 10.53.111.196.56404: 8876* 1/0/0 (81)

17:46:15.826564 IP 10.53.111.196.56405 > 10.225.32.21.53: 35970+ PTR? 21.32.225.10.in-addr.arpa. (43)

17:46:15.838155 IP 10.53.111.196.56406 > 10.225.32.21.53: 20076+ PTR? 21.32.225.10.in-addr.arpa. (43)

17:46:16.156691 IP 10.225.32.21.53 > 10.53.111.196.56405: 35970* 1/0/0 (81)

17:46:16.157434 IP 10.225.32.21.53 > 10.53.111.196.56406: 20076* 1/0/0 (81)

17:46:16.382976 IP 10.53.111.196.56407 > 10.225.32.21.53: 2440+ PTR? 21.32.225.10.in-addr.arpa. (43)

17:46:16.464860 IP 10.53.111.196.56408 > 10.225.32.21.53: 56307+ PTR? 21.32.225.10.in-addr.arpa. (43)

17:46:17.006781 IP 10.225.32.21.53 > 10.53.111.196.56407: 2440* 1/0/0 (81)

17:46:17.016931 IP 10.225.32.21.53 > 10.53.111.196.56408: 56307* 1/0/0 (81)

17:46:17.269397 IP 10.53.111.196.56409 > 10.225.32.21.53: 2847+ PTR? 21.32.225.10.in-addr.arpa. (43)

17:46:17.271352 IP 10.53.111.196.56410 > 10.225.32.21.53: 50932+ PTR? 21.32.225.10.in-addr.arpa. (43)

17:46:17.554738 IP 10.225.32.21.53 > 10.53.111.196.56409: 2847* 1/0/0 (81)

17:46:17.557537 IP 10.225.32.21.53 > 10.53.111.196.56410: 50932* 1/0/0 (81)

17:46:17.802274 IP 10.53.111.196.56411 > 10.225.32.21.53: 59151+ PTR? 21.32.225.10.in-addr.arpa. (43)

17:46:17.818927 IP 10.53.111.196.56412 > 10.225.32.21.53: 41395+ PTR? 21.32.225.10.in-addr.arpa. (43)

17:46:18.424757 IP 10.225.32.21.53 > 10.53.111.196.56411: 59151* 1/0/0 (81)

17:46:18.425457 IP 10.225.32.21.53 > 10.53.111.196.56412: 41395* 1/0/0 (81)

17:46:18.772148 IP 10.53.111.196.56413 > 10.225.32.21.53: 20474+ PTR? 21.32.225.10.in-addr.arpa. (43)

17:46:18.782503 IP 10.53.111.196.56414 > 10.225.32.21.53: 12919+ PTR? 21.32.225.10.in-addr.arpa. (43)

Regards,
Jason.
0 Kudos
Reply
4 REPLIES 4
Michael Steele_2
Honored Contributor

‎11-12-2009 02:55 AM

‎11-12-2009 02:55 AM

Re: What is causing a reverse lookup for our dns servers ip address?

Hi

This is only a guess, there is a file used by DNS for storing the named pid:

/var/run/named.pid

Run analysis on the named pid's usage with 'lsof' for example. My only concern is trying how to know when to trap this information? Or should you run the trap constantly until interrupted. Perhaps perfview or measureware's extract command.

/opt/perf/bin/extract -xp -p -r proc.rep -f destfile

Do you have these tools installed?

Support Fatherhood - Stop Family Law
0 Kudos
Reply
Tor-Arne Nostdal
Trusted Contributor

‎12-01-2009 04:44 AM

‎12-01-2009 04:44 AM

Re: What is causing a reverse lookup for our dns servers ip address?

The nsswitch.conf are used for configuring how to do lookup and the order of it.
If you haven't changed this (hp defaults) you might find something like this in the file:
hosts: dns [NOTFOUND=return] nis [NOTFOUND=return] files
ipnodes: dns [NOTFOUND=return] files

- that uses dns (nb! I do not comment the other entries in the file)

For hosts and ipnodes I use:
hosts: files [NOTFOUND=continue UNAVAIL=continue] dns [NOTFOUND=return UNAVAIL=continue TRYAGAIN=return]
ipnodes: files

You should also check your /etc/resolv.conf file.
Is your default domain specified?
Is your host defined with a FCDN within this domain?

... and a tip could also be to check out the /etc/mail/sendmail.cw file

Apart from this - it also depends a bit about the applications you run on that system... if they use a lot of reverse lookup...

/2r
I'm trying to become President of the state I'm in...
0 Kudos
Reply
TTr
Honored Contributor

‎12-01-2009 05:03 AM

‎12-01-2009 05:03 AM

Re: What is causing a reverse lookup for our dns servers ip address?

Many of the reverse lookups in HP-UX are done by simple service programs such as telnetd, ftpd, rlogind and others. And they do this simply to put the hostname of the connecting client rather than the IP address in a log file. It is also done for security reasons.

For example look at the man page for rlogind and check the -s option.

Not all of them have an option to suppress the reverse lookup. You can check various log files to find out the most frequently connecting clients to your HP-UX server and put those clients in your hosts file. that way they are found within your server for the reverse lookup.

0 Kudos
Reply
J Bartram
Occasional Advisor

‎12-01-2009 06:30 AM

‎12-01-2009 06:30 AM

Re: What is causing a reverse lookup for our dns servers ip address?

Thanks for the responses.

The problem was that some programs only read the nsswitch.conf at startup.

After a scheduled reboot the dns lookups have stopped.

Thanks again,
Jason
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.