How domains are being resolved ?

Thu 23 October 2014 by admin

Not so far ago I was doing some cleanup work with static entries in /etc/hosts. I was wondering how many of these static entries are being actively used. To figure out I started digging, but without much luck. Tools like strace, ltrace doesnt give me a clear look which address are taken from /etc/hosts or which function from shared library was used to resolve domain name. So the next step was dynamic tracing in userspace level by systemtap. I know that name resolution mechanism is provided by NSS, so I grabs function from /lib64/libnss_files-2.17.so (CentOS 7) related to /etc/hosts. Which exactly functions I was looking for, I only now that it should contain gethost, so:

# strings /lib64/libnss_files-2.17.so  | grep -i gethost
_nss_files_gethostent_r
_nss_files_gethostbyaddr_r
_nss_files_gethostbyname3_r
_nss_files_gethostbyname_r
_nss_files_gethostbyname2_r
_nss_files_gethostbyname4_r
_nss_files_gethostton_r

Now I should confirm that by writing simple script in systemtap:

global domains
probe begin {
        printf("started...\n")
}
probe process("/lib64/libnss_files-2.17.so").function("_nss_files_gethostbyname*").return {

        if ($$return == "return=0x1") {
                domains[user_string($name)] ++
                printf("%s - %s\n",execname(),user_string($name))
        }

}
probe end {
        foreach (var in domains) {
                printf("\n%s %d\n",var,domains[var])
        }
}

It means that I start tracing all process which fires libnss_files shared library and function _nss_files_gethostbyname* within. I only take care of return value of these function, return 0x1 means that domain record was found in /etc/hosts so count it and at the end (ctrl+c) show some stats. How it looks like:

# stap hostscounter.stap
started...
curl - localhost
^C
localhost 1

Simple and beauty ;)


Comments