Develop Reference

Linux process/component sending frequent DNS queries to resolve the local hostname (but shouldn't)

I'm not a networking guru so could use some help. I am running a RHEL7 (Red Hat Enterprise Linux) VM (Virtual Machine) where some component on the OS is sending frequent DNS queries to resolve it's own local hostname to our main DNS server (which shouldn't be happening because the DNS server won't know anything about its address). Can anyone provide guidance as to how I can find out what component/service/process this is? It's filling our logs with 19k records over just hours and I need to find a way to fix this.
The hostname for the RHEL VM is spe1.2v29999999.dev.local , there is a static IP on this VM and it is 10.70.49.61. The /etc/hosts looks like:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost4 localhost4.localdomain4
I suspected it might be a java jar we have running on the VM, but I stopped it via systemctl stop MyJavaJar but after running a tcp dump via tcpdump -i any udp port 53, I could still see the queries happening.
Here are some examples from different days/times in the logs (both A and TXT records):
2020-05-05T13:53:50.189178+00:00 dns.green.blue.mycompany.com 127.0.0.1 <daemon.info> dnsmasq[20886]: 739 10.70.49.61/65078 query[A] spe1.2v29999999.dev.local from 10.70.49.61
2020-05-07T00:01:39.934899+00:00 dns.green.blue.mycompany.com 127.0.0.1 <daemon.info> dnsmasq[8615]: 27827 10.70.49.61/57348 reply spe1.2v29999999.dev.local is NXDOMAIN
2020-05-11T00:01:20.674688+00:00 dns.green.blue.mycompany.com 127.0.0.1 <daemon.info> dnsmasq[8615]: 130345 10.70.49.61/53321 query[TXT] bootstrap.spe1.2v29999999.dev.local from 10.70.49.61
Would making any changes to /etc/hostname, /etc/sysconfig, /var/named .zone files, /var/named.conf or /etc/named help? Can I do more with tcpdump? Thanks

Put:
127.0.0.1 spe1.2v29999999.dev.local
in /etc/hosts. This is done by default on many distros.

How do I make dig use a source IP other than localhost while querying a DNS server running locally on my machine?

I am trying to run a coredns plugin https://github.com/coredns/demo that returns 1.1.1.1 for 172.0.0.0/8 or 127.0.0.0/8 and 8.8.8.8 for everything else.
I run the binary and try to make a request from dig using dig example.org #localhost -p1053 +short which returns 1.1.1.1 since the request is sent from localhost
Is there anyway I can send a request from dig to coredns that it might look like to the DNS server that it is sent from another IP and it will return 8.8.8.8 instead?

From dig manual:
-b address[#port]
Set the source IP address of the query. The address must be a valid address on one of the host's network interfaces, or "0.0.0.0" or "::". An optional port may be
specified by appending "#<port>"
Otherwise, if the server supports ECS (EDNS Client Subnet) you can use dig option +subnet=addr to give it to the server and see how its reply changes.

ping, ssh, ... uses different IP than one resolved by nslookup, host,

After new install of Ubuntu15.10 my commands(ping, ssh, ...) are using different IP address than one resolved by nslookup, host, dig, ...
How could this happen?
user#ubuntu-15-10:~$ nslookup foobar.com
Server: 127.0.1.1
Address: 127.0.1.1#53
Non-authoritative answer:
foobar.com canonical name = foobar.homeip.net.
Name: foobar.homeip.net
Address: 12.34.56.78
user#ubuntu-15-10:~$ host foobar.com
foobar.com is an alias for foobar.homeip.net.
foobar.homeip.net has address 12.34.56.78
user#ubuntu-15-10:~$ ping foobar.com
PING foobar.com (192.168.1.3) 56(84) bytes of data.
64 bytes from foobar.localdomain.home (192.168.1.3): icmp_seq=1 ttl=64 time=0.245 ms
64 bytes from foobar.localdomain.home (192.168.1.3): icmp_seq=2 ttl=64 time=0.285 ms
64 bytes from foobar.localdomain.home (192.168.1.3): icmp_seq=3 ttl=64 time=0.269 ms
^C
--- foobar.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.245/0.266/0.285/0.021 ms
user#ubuntu-15-10:~$
My /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1
search localdomain.home
My /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat
group: compat
shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] wins dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
No entry for foobar.com in /etc/hosts
Anyone any idea?

I found a fix myslef after some investigation...
Problem was in /etc/nsswitch.conf:
at "hosts" line: "dns" entry should be before "wins" entry...
I don't understand what's behind, however now it works like expected

Sorry, the server configured is some strange fake server, probably at your own machine. The server address [127.0.1.1] is normally reserved for localhost interfaces (this is strange, as the localhost address is actually 127.0.0.1, and not 127.0.1.1)
The most probably cause you are receiving different responses is that nslookup(1) is a BIND utility to test dns access (it only uses dns lookups) and ping(1) uses the gethostbyname(3) library routine (which considers all possibilities configured in /etc/nsswitch.conf file for information on how to proceed, in this case, being the dns part the last resort)
On other side, the actual address of host foobar.com is not that one (see below).
Finally, the address foobar.com resolved by ping(1) as shown in your output is one private address (not the actual one, see RFC-1918), you cannot find that host over internet.
The most probable thing is that you have not asked for dns resolution to any official internet nameserver, so everything is a matter of local dns configuration.
Possible causes of the difference:
mdns4_minimal is some fake program that doesn't ask the actual nameserver.
dns is the last option in the /etc/nsswitch.conf, so official DNS protocol goes last (when all other protocols have failed)
your dns is not listening in address 127.0.1.1 and you have some ssh port redirection or tunnel to someother nameserver giving the wrong answers. The address 127.0.1.1 is normally used by the tap* network device when used for example to configure openvpn(1) client connections.
You have not shown the nameserver config files running at your machine. Perhaps the origin of the address you get is there. Look for named(8) config files and search for the domain foobar.com in those config files.
None of the addresses you shown is a real internet address (127.0.0.0/8, 10.0.0.0/8, 172.16-31.0.0/16, 192.168.0-255.0/24 and 169.254.0.0/16 are all reserved internet addresses for one or other reason, and you won't see any of these addresses appearing on packets coming from internet) The reasons are diverse, but the fact is that all your traffic is local in your private network and nothing, except perhaps the nameserver running at your machine has internet access.
Sorry but with the information you provide, this is the only I can argue to try to solve your error.
Something you can do is the following (to get a clean dns resolution):
configure dns after files in /etc/nsswitch.conf. This will give dns priority before that mdns4_minimal and wins resolution)
configure nameserver <ip> with the actual addresses of your nameservers (They should be communicated to you by your internet provider. If you don't know what to put there, just try nameserver 8.8.8.8 which means use the google nameserver to solve addresses. Fortunately, it is open to everybody)
These steps will make dns resolution to overpass your local nameserver completely and you'll get something like
$ nslookup foobar.com
Server: 46.183.73.1
Address: 46.183.73.1#53
Non-authoritative answer:
Name: foobar.com
Address: 69.89.31.56
$ ping foobar.com
PING foobar.com (69.89.31.56): 56 data bytes
64 bytes from 69.89.31.56: icmp_seq=0 ttl=50 time=173.196 ms
64 bytes from 69.89.31.56: icmp_seq=1 ttl=50 time=175.091 ms
64 bytes from 69.89.31.56: icmp_seq=2 ttl=50 time=208.612 ms
64 bytes from 69.89.31.56: icmp_seq=3 ttl=50 time=177.145 ms
^C
--- foobar.com ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 173.196/183.511/208.612/14.559 ms
$ _
If you have installed ubuntu and didn't configure internet connection at installation, the most probable cause is that it has configured dns locally with a fake database that allows you to make experiments, before configuring it for real internet access.

slow or timeout of dns resolving inside docker

On host machine, it's very fast to lookup a domain. But inside docker container, it's much
slower and sometimes timeout.
The host machine is a virtual host, and it's dns server address is 127.0.0.1 (weird but true). So I've tried to modify /etc/resolv.conf inside container and set the dns server to be 172.x (host's address). As a result, I didn't see any good effect.
I've also tried to set the container's dns server to be a self-built one (101.x), but still, it's slow to look up a domain. Another weird thing is that ping 101.x is very fast.
I'm confused about this phenomenon, anyone can explain and help?

I am not sure of why resolving DNS is slow in the containers, but I have procedure which I follow to resolve the DNS in the docker containers.
To verify DNS resolution issue:
# docker run busybox nslookup google.com
Server: 8.8.8.8
Address 1: 8.8.8.8
nslookup: can't resolve 'google.com'
Find out the DNS server used in your machine :
# nm-tool |grep DNS
DNS: 172.24.100.50
DNS: 10.1.100.50
Run it again using DNS IP found in the above step which resolves the DNS issue:
# docker run --dns 172.24.100.50 busybox nslookup google.com
Server: 172.24.100.50
Address 1: 172.24.100.50 indc01.radisys.com
Name: google.com
Address 1: 2607:f8b0:4009:80c::200e ord36s01-in-x0e.1e100.net
Address 2: 172.217.4.110 ord36s04-in-f14.1e100.net
To resolve it permanently add the following content as below to a new file:
root#labadmin-VirtualBox:/home/labadmin# cat /etc/docker/daemon.json
{
"dns" : ["172.24.100.50", "8.8.8.8"]
}
More info on Docker DNS configuration.
Restart the docker service and verify it again:
# docker run busybox nslookup google.com
Server: 172.24.100.50
Address 1: 172.24.100.50 indc01.radisys.com
Name: google.com
Address 1: 2607:f8b0:4009:801::200e ord30s31-in-x0e.1e100.net
Address 2: 172.217.4.238 ord30s31-in-f14.1e100.net
Check it by running the container:
# docker run -it e02e811dd08f
/ # ping google.com
PING google.com (172.217.4.238): 56 data bytes
64 bytes from 172.217.4.238: seq=0 ttl=47 time=251.506 ms
64 bytes from 172.217.4.238: seq=1 ttl=47 time=245.621 ms
Hope this helps.

URL with hostname does not work but works with IP address

I am working on RHEL 6.3, the IP address of this server is 172.xxx.xxx.xx and hostname is build01.xxx.com
I have a DNS entries of client server, I have configured that in /etc/sysconfig/network-scripts/ifcfg-eth0 and in /etc/resolv.conf
[root#build01 ~]# cat /etc/resolv.conf
search 100.xxx.x
nameserver 203.xxx.xxx.xxx ##Primary DNS
nameserver 203.xxx.xxx.xxx ###Secondary DNS
[root#build01 etc]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
172.xxx .xxx.xx build01.xxx.com build01
[root#build01 ~]# hostname
build01.xxxx.com
My issue is when I hit the URL with hostname(buil01.xxx.in) it does not work, but it works with IP (172.xxx.xxx.xx)
This is the error which i get in browser if I type hostname
Host Not Found
**DNS error (the host name of the page you are looking for does not exist) or Server did not accept the connection.
Please check that the host name has been spelled correctly.**
Internet works in this machine only issue is with hostname
Please help me what I am missing to configure
Thanks
Roopa

The search line in resolv.conf should list the local domain. So change:
search 100.xxx.x
to:
search xxx.com
Actually you should also change search to domain. For more information have a look at man resolv.conf.