Find out short living UDP requests (e.g. DNS requests) with auditd

Think about the following situation. You need to modify the address of your internal DNS server and therefore you need to change /etc/resolv.conf on all your Linux boxes. It might be that this change will not be recognized by every service running on your Linux box. Oracle for instance is a good example where you have to restart your database after such change because Oracle loads the DNS information once the database is started. So Oracle would querry your old DNS server IP unless you restart the database.

There are several ways to find out which process requests your old DNS server. Here I will explain how to utilize auditd on Red Hat derivatives to find out short living DNS requests via UDP. First you need to install auditd and enable the service:

Then you need to write the following auditd rule:

To test you auditd rule you can do either a

or a

Hint: Please replace OLD-DNS-SERVER-IP the according IP address of your old DNS server IP. Afterwards you can search the audit log as follows:

This command shows you the following entries:

To find out more details about the process which tries to reach the old DNS server you can simply search for a specific message ID:

This gives you the following output:

Here you can see that the command /usr/bin/dig tried to establish a connection to saddr=HEX-CODE-OF-YOUR-OLD-DNS-SERVER-IP where saddr is the HEX code of your old DNS server IP.

If you found out the processes which requests your old DNS server you need to remove the auditd rule again to reduce audit logs: