Is it possible to detect HOSTS file resolution vs DNS resolution - dns

For diagnostic purposes I would like to be able to find out if a customer has a hostname failure because of a HOSTS file entry. Is it possible to detect that a DNS query was resolved by HOSTS or DNS?
(Of course I'm curious about multiple OSes: Windows, HPUX, AIX, Linux, Mac)
I suspect it may be possible if I could bypass the hostname resolution sequencing configuration of the machine. Of course reading the HOSTS file directly is an option but if there's an in memory problem (i.e. virus, or just changed to remove the misconfiguration but not taken effect yet) then it wouldn't be helpful.

On Windows, if you are looking up server1 you can compare the IP address printed in the output of ping server1 with the output of the nslookup server1 command.
This URL states that on Windows, nslookup does not use the hosts file:
https://serverfault.com/questions/95036/what-can-cause-a-dns-lookup-to-ignore-a-hosts-file-entry
Both ping server1 and nslookup server1 print the IP address they associate with server1, but ping will use the hosts file (on my system) and nslookup does not.

Related

Bash: pinging servers and writing the IP to a file

I currently have to find the IP-Adresses of a lot of servers.
I have written a bash script on linux that creates all the server names.
When I write it like this, I get all servernames, even if there no longer have an IP.
host $f$n$d >> IPs.txt
Is there a way to only write the servers into the file, that still have an IP, together with the servername.
Kind regards Elias
I think the local DNS resolver caches the IP addresses, so you will get the corresponding IPs even in the scenario you described.
I suggest you to start the script with a full local DNS flush, depending on your distribution and DNS client: Here are son techinques to flush it.

getting hostname of remote computers on the local network not setup in /etc/hosts

I have a new learning, I was trying to get hostname using python's socket.
so from my macbook I ran the below code:
socket.gethostbyaddr("192.168.1.111")
and I get the ('rock64', [], ['192.168.1.111']) then I tried IP address of a computer that is not on the network anymore but used to be:
socket.gethostbyaddr("192.168.1.189")
and it returned: ('mint', [], ['192.168.1.189']) then I realised its coming from the /etc/hosts file.
now in that host file I also have this entry:
/etc/hosts
172.217.25.3 google.com.hk
but if I try to get host from ip of wan address i get different results than expected!
socket.gethostbyaddr("172.217.25.3")
that returns ('hkg07s24-in-f3.1e100.net', ['3.25.217.172.in-addr.arpa'], ['172.217.25.3'])
so I am not wondering where in the later case of WAN ip address I am getting the hostname and why in case of local computer IP's I am getting hostname from the configured /etc/hosts file ?
How can we get hostname of host computers on the local network without socket.gethostbyaddr having to look into /etc/hosts file or by other means ?
This is opinion based answer to the question "how to build registry of network devices on your local network?"
The best way to build registry of devices on your local network is to setup ntopng on your gateway. It uses DPI (Deep Packet Inspection) Technics to collect information about hosts.
NTOPNG has nice user interface and displays host names (when possible).
You can assign aliases for specific hosts which do not leak host names via any protocol.
For some reasons ntopng developers did not include alias into json response for request http://YOUR-SERVER:3000/lua/host_get_json.lua?ifid=2&host=IP-OF-DEVICE .
You can add it manually by adding lines require "mac_utils" and hj["alias"]=getDeviceName(hj["mac_address"]) into file /usr/share/ntopng/scripts/lua/host_get_json.lua
You can use REST API to interrogate ntopng and use provided information for building any script you need.

How can I restrict FTP and SMB access to computers on the internal network

I have Installed samba and tried adding this line config file for samba
Listen=yes
Listen_address= 127.0.0.1
I have also put this in vsftpd.cnf
It doesn't work
The IP addresses 127.x.x.x are always restricted to the local host only, so when other computers try that they connect only to themselves. Assuming you have Linux on a Raspberry Pi, see what other IP addresses it has that connect with the outside world like this:
/sbin/ifconfig
and then use one of those addresses instead. Also try to ping the address from your other computers - if that doesn't work then ftp has little chance of working either.
The vsftpd.conf documentation suggests that the default is to listen on all local addresses. You could try that by commenting out the listen_address line with a # at the start of the line, and then restart the vsftpd server process.
Do not confuse samba and vsftp. They are two separate server processes that use different protocols, port numbers and configuration files.
Beware of case sensitive options, the wrong case will not work. You wrote Listen but probably meant listen ;-)

Centos takes very long time to resolve local network nearby servers

i have few Centos 5.1 servers, recently they took very long time to communicate eachother, it looks like for every request it checks local server in public dns, is there is anyway to give option in /etc/resolve.conf to disable dns for some IP address ?
Add the server names and their IP addresses to the file /etc/hosts, e.g.
10.0.0.100 server1 server1-alias
10.0.0.101 server2
and then make sure that you list the keyword files before the keyword dns for the hosts entry in /etc/nsswitch.conf, i.e. that file should have a line that looks something like this:
hosts: files dns
After that, any attempts to resolve hostnames or IP addresses will first consult the /etc/hosts file, and only if that is unsuccessful go on to do a DNS lookup.

Linux hostname resolution on a machine with multiple running interfaces

I have 4 running eth ports on my Linux machine (eth0 through eth3). So if i give the command host <hostname>, which eth port's ipaddress will be returned? how does linux decide which eth port's ip address to be returned?
Thanks,
LinuxPenseur
host does not look at your local IPs, it looks up the hostname based on the rules specified in /etc/nsswitch.conf
In nsswitch.conf you will typically have this entry:
hosts: files dns
This means that the resolver will first check /etc/hosts, if it cannot find anything there it'll check /etc/resolv.conf and ask the specified DNS servers for the IP, optionally appending the "search" and "domain" suffixes specified in resolv.conf
See http://www.faqs.org/docs/linux_network/x-087-2-resolv.library.html
What's your "primary" interface? That one is used.
http://ubuntuforums.org/archive/index.php/t-1120370.html

Resources