2

I noticed my Linux machine makes many DNS queries for a specific domain (subdomain) malicious.foo.bar

How can I find out which application or process tries to resolve this domain?

I also want to see the exact URL this process is requesting (for example https://malicious.foo.bar/baz.php) and some details of the requests to see the payload.

What steps should I follow to achieve it?

Łukasz D. Tulikowski
  • 1,138
  • 1
  • 9
  • 22
  • Have a look at this Q&A. Log DNS requests for the host name, HTTP requests for the "exact URL". If you are mainly interested in HTTP requests (because DNS requests don't "request a URL"), also consider a transparent MITM proxy (google). – dirkt Mar 18 '22 at 09:25

1 Answers1

2

Since noone else has answered here are some thoughts.

DNS resolution from client processes indirects through /etc/resolv.conf. Typically this will have either a loopback IP address or the direct IP addresses of your resolvers.

Add a logging entry in iptables for outbound or loopback traffic (as appropriate) that captures the process id of the caller.

You can then follow the kernel log file and use the information to determine the actual process.

References

Chris Davies
  • 116,213
  • 16
  • 160
  • 287
  • Can I do it in a most robust way? This solution requires installing iptables. What if I know DNS queries use port :53 - can I get the process using such tools like tcpdump grep? – Łukasz D. Tulikowski Mar 19 '22 at 21:32
  • I know of no way to get the PID information using a passive sniffer such as tshark/tcpdump. (That doesn't mean it's not possible; just that I don't know if and how.) On the other hand I know it is possible with an iptables logging rule. Are you sure you need to install iptables and it or its successor nftables isn't already installed? – Chris Davies Mar 19 '22 at 23:31