James
2015-Feb-26 16:44 UTC
[Samba] How to trace a DNS query back to workstation or application
Hello,
Looking through my samba logs I'm seeing entries such as this
[2015/02/26 11:39:33.527590, 2, pid=1184, effective(0, 0), real(0, 0)]
../source4/dns_server/dns_query.c:629(dns_server_process_query_send)
Not authoritative for 'searchclient.live.net', forwarding
This will repeat several times a second for hours. How can I trace this
back to a workstation or application short of using Wireshark? I'm
currently using Samba 4.1.17 with the internal DNS. Thanks.
--
-James
Andrew Bartlett
2015-Mar-01 02:51 UTC
[Samba] How to trace a DNS query back to workstation or application
On Thu, 2015-02-26 at 11:44 -0500, James wrote:> Hello, > > Looking through my samba logs I'm seeing entries such as this > > [2015/02/26 11:39:33.527590, 2, pid=1184, effective(0, 0), real(0, 0)] > ../source4/dns_server/dns_query.c:629(dns_server_process_query_send) > Not authoritative for 'searchclient.live.net', forwarding > > This will repeat several times a second for hours. How can I trace this > back to a workstation or application short of using Wireshark? I'm > currently using Samba 4.1.17 with the internal DNS. Thanks. >Better would be to write up a patch to change that to a level 5 or so debug, it is entirely routine (sounds like IE's search box) and isn't the kind of thing that belongs even at level 2. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
James
2015-Mar-02 01:57 UTC
[Samba] How to trace a DNS query back to workstation or application
Andrew,
Thanks for the reply. I attempted different log level values in
hopes it would provide a source. It didn't as far as I could tell. I
ended up just using Wireshark and tracing it. It was related to Internet
Explorer and Bing Bar.
On 2/28/2015 9:51 PM, Andrew Bartlett wrote:> On Thu, 2015-02-26 at 11:44 -0500, James wrote:
>> Hello,
>>
>> Looking through my samba logs I'm seeing entries such as this
>>
>> [2015/02/26 11:39:33.527590, 2, pid=1184, effective(0, 0), real(0, 0)]
>> ../source4/dns_server/dns_query.c:629(dns_server_process_query_send)
>> Not authoritative for 'searchclient.live.net', forwarding
>>
>> This will repeat several times a second for hours. How can I trace this
>> back to a workstation or application short of using Wireshark? I'm
>> currently using Samba 4.1.17 with the internal DNS. Thanks.
>>
> Better would be to write up a patch to change that to a level 5 or so
> debug, it is entirely routine (sounds like IE's search box) and
isn't
> the kind of thing that belongs even at level 2.
>
> Andrew Bartlett
>
--
-James