Find out short living UDP requests (e.g. DNS requests) with auditd

Think about the following situation. You need to modify the address of your internal DNS server and therefore you need to change /etc/resolv.conf on all your Linux boxes. It might be that this change will not be recognized by every service running on your Linux box. Oracle for instance is a good example where you have to restart your database after such change because Oracle loads the DNS information once the database is started. So Oracle would querry your old DNS server IP unless you restart the database.

There are several ways to find out which process requests your old DNS server. Here I will explain how to utilize auditd on Red Hat derivatives to find out short living DNS requests via UDP. Continue reading Find out short living UDP requests (e.g. DNS requests) with auditd