On Sun, 2008-11-30 at 06:06 -0800, akuda wrote: > Hi, > Recently I found some unidentified outgoing connections (UOC, instead of > UFO) from one of my linux machines (gentoo, firewall by vuurmuur.org via > ipTables). Those UOC occurs soon after boot time, even though I closed all > services. These are DNS calls. DNS queries are extremely common (almost unavoidable). Most likely, they are reverse lookups looking for a name associated with your interface address. There are any one of a number of applications which may do a "gethostbyname" or "gethostbyaddress" which will trigger DNS queries. If you've got a graphical display (X, xdm, gdm) starting up I can almost guarantee that you'll see DNS queries. If you are getting your IP address via dhcp, you're likely to see associated DNS queries in response to any one of a number of DHCP options. If you've got logging enabled, you're likely to see DNS queries. > So I asked my friends full-time admins, how to check which program > requests access to internet, and what user started this program. If, for > example, RIAA would come to some University telling that from their IP > someone is downloading "Lilo & Stitch" illegally, the admin should be able > to tell who turned on bittorrent :) . And what stroke me was the fact, that > they actually didn't know! They asked me to hunt for those UOC, and then > type netstat with some options, to get the path to the binary, and locate in > someone's home directory (the bittorrent client won't be probably installed > as general bin for all users :) ). Someone else suggested lsof. You say these are connections but then say they are DNS which really probably means UDP (which is connectionless) and you're probably not going to see them up for very long, like long enough to catch them manually. Things like bittorrent are relatively easy to track down because they involved long persistent TCP connections. DNS queries are almost ubiquitous on a system, though. I don't see how you would run a system and totally avoid DNS queries or why you would want to even try. > Any other idea how to do it? Can I force linux to log who and how is > requesting a outgoing connection? You could play with some of the iptables facilities. You could also set up your own nameserver and force DNS queries through localhost and log them using "bind" to see what the queries are. You could also fire up tcpdump and capture what the queries are. You could also play with the audit subsystem and trap on DNS requests. I'm not sure any of it's worth the effort for mere DNS queries. Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@xxxxxxxxxxxx /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Attachment:
signature.asc
Description: This is a digitally signed message part
