How domains are being resolved ?

Thu 23 October 2014 by admin

Not so far ago I was doing some cleanup work with static entries in /etc/hosts. I was wondering how many of these static entries are being actively used. To figure out I started digging, but without much luck. Tools like strace, ltrace doesnt give me a clear look which address are taken from /etc/hosts or which function from shared library was used to resolve domain name. So the next step was dynamic tracing in userspace level by systemtap. I know that name resolution mechanism is provided by NSS, so I grabs function from /lib64/ (CentOS 7) related to /etc/hosts. Which exactly functions I was looking for, I only now that it should contain gethost, so:

# strings /lib64/  | grep -i gethost

Now I should confirm that by writing simple script in systemtap:

global domains
probe begin {
probe process("/lib64/").function("_nss_files_gethostbyname*").return {

        if ($$return == "return=0x1") {
                domains[user_string($name)] ++
                printf("%s - %s\n",execname(),user_string($name))

probe end {
        foreach (var in domains) {
                printf("\n%s %d\n",var,domains[var])

It means that I start tracing all process which fires libnss_files shared library and function _nss_files_gethostbyname* within. I only take care of return value of these function, return 0x1 means that domain record was found in /etc/hosts so count it and at the end (ctrl+c) show some stats. How it looks like:

# stap hostscounter.stap
curl - localhost
localhost 1

Simple and beauty ;)