[angeloio]

Dear guys,

I am facing the most weird problem I have ever encountered!
Ok here is the situation:
From my dns query.log file - it is generated using usual bind9 logging:
logging {
channel query.log {
file "/var/log/bind9/query.log" versions 10 size 2m;
severity debug 2;
print-time yes;
};

category queries { query.log; };
};
I get many requests from localhost (like the following):
11-Nov-2008 12:27:01.010 client 127.0.0.1#45976: query: cyberfortress.com IN AAAA +
11-Nov-2008 12:27:01.010 client 127.0.0.1#57628: query: cyberfortress.com.smart-vision.eu IN AAAA +
11-Nov-2008 12:27:01.011 client 127.0.0.1#39766: query: cyberfortress.com IN A +
11-Nov-2008 12:27:01.055 client 127.0.0.1#58181: query: a094.server.lu IN A +
(domain cyberfortress.com is hosted on the same machine).
I tried to find where these requests are coming from. So using tcpdump:

tcpdump -vvv -n -i lo src host 127.0.0.1 and dst port 53

I get many packets:
21:25:02.000103 IP (tos 0x0, ttl 64, id 41188, offset 0, flags [DF], proto: UDP (17), length: 63) 127.0.0.1.54038 > 127.0.0.1.53: [bad udp cksum 400e!] 58884+ AAAA? cyberfortress.com. (35)
21:25:02.000412 IP (tos 0x0, ttl 64, id 41188, offset 0, flags [DF], proto: UDP (17), length: 79) 127.0.0.1.54188 > 127.0.0.1.53: [bad udp cksum 3a21!] 4651+ AAAA? cyberfortress.com.smart-vision.eu. (51)
21:25:02.000542 IP (tos 0x0, ttl 64, id 41188, offset 0, flags [DF], proto: UDP (17), length: 63) 127.0.0.1.56204 > 127.0.0.1.53: [bad udp cksum def1!] 5360+ A? cyberfortress.com. (35)

The actual question is which processes are sending these packets.
I tried using lsof, netstat, fuser even a perl program called socklist.pl, which I modified to print only udp sockets and run into a while (1) loop but the above sockets (54038, 54188, 56204 etc...) cannot be seen anywhere !!! [Could it be because they are so short-lived ???]
I am running a grsec-enabled 2.6 kernel in a debian etch system.

Do you have any ideas what is happening and how to pinpoint there processes that generate these packets ???

It is very important for me. I could possible give some money to a really good solution.

Thanks to all for your time

[eggi]

Hey there,

Yeah those ports are all short-lived ephemeral ports and go away after the connection/session is complete.

This may be caused if you're binding to 127.0.0.1 - you can get around this by specifying what IP your BIND binds to in named.conf with:

Quote

listen-on { 10.99.99.1; };

in the main options section, replacing 10.99.99.1 with the IP of your host's nodename (if you have multiple IP's, you can either pick one, or get them all by using the 0.0.0.0 address)

Check this bug report out, also - it may or may not be related:

http://lists.freebsd...ber/015070.html

best wishes,

Mike

[angeloio]

Thanks Mike,

Is there any way (kernel mod, tool, script or else) to monitor sockets in real time so that I can detect all processes that open sockets even the very short lived ones ?

Thanks again

[eggi]

Hey - Happy to help

AA Tools Netmon is a great tool for this, but runs about 50 bucks.

Check out this link for the beta, which is free (just no support or guarantee that'll work, but it does

http://www.freedownl...ols/Netmon.html

Hope it helps you out. This tool will detect ports that open and close in real time so you can debug that sort of thing.

Best wishes,

Mike