On yer firewall (or even better a network monitoring port on your switch)
To capture all outgoing DNS queries....:
tcpdump -S 1500 -X -n -i <local interface> "udp and dst port 53"
To capture all replies (and possibly some request with src port 53).
tcpdump -S 1500 -X -n -i <local interface> "udp and src port 53"
Should be able to capture any DNS requests that reach the firewall, (or
any DNS requests at all, if you're running on the network monitoring port
on your switch).
-Antony
-----Original Message-----
From: Len Conrad <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: Fri, 11 Oct 2002 06:40:51 -0500
Subject: how to find the query culprit
> fbsd 4.4 and ipf 3.4.20
>
> On a leased line to one of our clients, we have ipnat at their building
> with about 300 users behind it. works great.
>
> On the recursive DNS it uses in our shop, we see repeating PTR queries
> with
> longtime average of 8/second. We've had this problem before and were
> able
> to trace it down to a Computer Associate backup program.
>
> Now we're having the same problem and can't track down the source.
>
> ipfstat -t -D 0,53
>
> shows:
>
> Src Dest
> 10.0.0.35,1035 212.73.210.72,53 0/0 udp 4 1056
> 0:11
> 10.0.0.35,1035 212.73.210.69,53 0/0 udp 4 1056
> 0:10
> 212.73.210.22,2905 212.73.210.69,53 0/0 udp 2 427
> 0:07 *
>
>
> 212.73.210.22 is the NAT outside, 212.73.210.69 is the harrassed DNS.
>
> We can't come up with fbsd or ipfstat commnad that shows the IP source
> of
> the PTR queries on the 10.0.0 internal network.
>
> suggestions?
>
> Len
>
*************************************************************************
This e-mail and any attachments may contain confidential or privileged
information. If you are not the intended recipient, please contact the
sender immediately and do not use, store or disclose their contents.
Any views expressed are those of the individual sender and not of Kinetic
Information System Services Limited unless otherwise stated.
www.kinetic.co.uk
