From owner-freebsd-questions  Sat Sep 13 17:20:35 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id RAA08129
          for questions-outgoing; Sat, 13 Sep 1997 17:20:35 -0700 (PDT)
Received: from freebie.lemis.com (gregl1.lnk.telstra.net [139.130.136.133])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA08122
          for <freebsd-questions@FreeBSD.ORG>; Sat, 13 Sep 1997 17:20:30 -0700 (PDT)
Received: (from grog@localhost)
	by freebie.lemis.com (8.8.7/8.8.5) id JAA24903;
	Sun, 14 Sep 1997 09:50:19 +0930 (CST)
Message-ID: <19970914095018.34672@lemis.com>
Date: Sun, 14 Sep 1997 09:50:18 +0930
From: Greg Lehey <grog@lemis.com>
To: pcoyne@br-inc.com
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: DNS request from unknown process.
References: <vines.WYZ7+tZN4oA@ftw9vnssvr.moinet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.81e
In-Reply-To: <vines.WYZ7+tZN4oA@ftw9vnssvr.moinet.com>; from pcoyne@br-inc.com on Fri, Sep 12, 1997 at 02:35:21PM -0600
Organisation: LEMIS, PO Box 460, Echunga SA 5153, Australia
Phone: +61-8-8388-8250
Fax: +61-8-8388-8250
Mobile: +61-41-739-7062
WWW-Home-Page: http://www.lemis.com/~grog
Fight-Spam-Now: http://www.cauce.org
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Fri, Sep 12, 1997 at 02:35:21PM -0600, pcoyne@br-inc.com wrote:
> I have a problem with a client machines asking my DNS server for an invalid
> (the machine name doesn't exist in DNS, nor should it) fully qualified
> hostname.  The request comes several times a second,  any pointers as to
> what processes on the client machines I should check first?
>
>
> I have grep'ed /etc for the culprit's config files but to no avail, is
> there a way to monitor on the client what process is making the call?

Hmm.  This isn't easy.  Do you know which client machine is involved?
If it's coming several times a second, you should see some activity
from the process in question (use top); at the same time, use tcpdump
to monitor the DNS activity (tcpdump port domain).  if you then
suspend the suspect process, you should then be able to confirm
whether you're looking at the right process by the drop in DNS
activity.

Greg