Re: Identifying source of IP connections



You could set up an iptrace on each of your boxes against the IP of that Windows
DNS server to see if your box is directly accessing it. Kind of the giant net
approach.
DNS logging is typically done at the server, not the client.

You might get some information from enabling debug in resolv.conf, but I have
not done that before.
Mark Hunter
Anheuser-Busch Cos.
Infrastructure Consultant, ES&SO Server Planning and Integration
*Office: (314) 765-2339
*Email: Mark.Hunter@xxxxxxxxxxxxxxxxxx

The information transmitted (including attachments) is covered by the Electronic
Communications Privacy Act, 18 U.S.C. 2510-2521, is intended only for the
person(s) or entity/entities to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance upon, this
information by persons or entities other than the intended recipient(s) is
prohibited. If you received this in error, please contact the sender and delete
the material from any computer.



________________________________

From: IBM AIX Discussion List [mailto:aix-l@xxxxxxxxxxxxx] On Behalf Of Green,
Simon
Sent: Thursday, July 03, 2008 11:22 AM
To: aix-l@xxxxxxxxxxxxx
Subject: Identifying source of IP connections


We've recently changed our DNS servers, as a result of changing domain names.
I've updated /etc/resolv.conf accordingly, but folk are telling me that some of
my servers are still sending requests to one of the old servers.

I can't see any pattern in the servers which are accessing the old DNS server
and those which aren't.
All my servers are running AIX 5.2; TL07, I think. A range of different
applications, including SAP, Oracle and TSM.


Is there any way that DNS requests could be going to this server, despite what's
in resolv.conf? What about recursive requests? The search parameter did list
an old domain which we no longer used, but which would have been resolved by the
old server. Could a request to resolve an unknown name - perhaps a typo - get
forward from one of the new DNS servers to the old one because of that search
term?

At the moment, I only have these other folks' word that this is DNS requests:
that may be an assumption on their part. Perhaps it's something else. What
would be the easiest way of identifying any connections between my servers and
this DNS server, (some Windows box in another country)?


Any suggestions welcomed.

Simon Green

The information transmitted (including attachments) is
covered by the Electronic Communications Privacy Act,
18 U.S.C. 2510-2521, is intended only for the person(s) or
entity/entities to which it is addressed and may contain
confidential and/or privileged material. Any review,
retransmission, dissemination or other use of, or taking
of any action in reliance upon, this information by persons
or entities other than the intended recipient(s) is prohibited.
If you received this in error, please contact the sender and
delete the material from any computer.