Weird TCP connection to host6.diocesedesobral100anos.com

Hello! I need help.

When I run

lsof -a -p <pid_elasticsearch>

then I am seeing next lines:

java 22834 elasticsearch 158u IPv6 285317013 0t0 TCP cs24290:vrace->host6.diocesedesobral100anos.com:40709 (ESTABLISHED)
java 22834 elasticsearch 159u IPv6 285317014 0t0 TCP cs24290:vrace->host6.diocesedesobral100anos.com:40711 (ESTABLISHED)
java 22834 elasticsearch 160u IPv6 285317015 0t0 TCP cs24290:vrace->host6.diocesedesobral100anos.com:40712 (ESTABLISHED)
java 22834 elasticsearch 161u IPv6 285317016 0t0 TCP cs24290:vrace->host6.diocesedesobral100anos.com:40714 (ESTABLISHED)
java 22834 elasticsearch 162u IPv6 285317017 0t0 TCP cs24290:vrace->host6.diocesedesobral100anos.com:40716 (ESTABLISHED)
java 22834 elasticsearch 163u IPv6 285317018 0t0 TCP cs24290:vrace->host6.diocesedesobral100anos.com:40710 (ESTABLISHED)
java 22834 elasticsearch 164u IPv6 285317019 0t0 TCP cs24290:vrace->host6.diocesedesobral100anos.com:40718 (ESTABLISHED)
java 22834 elasticsearch 165u IPv6 285317020 0t0 TCP cs24290:vrace->host6.diocesedesobral100anos.com:40713 (ESTABLISHED)
java 22834 elasticsearch 166u IPv6 285317021 0t0 TCP cs24290:vrace->host6.diocesedesobral100anos.com:40715 (ESTABLISHED)
java 22834 elasticsearch 167u IPv6 285317022 0t0 TCP cs24290:vrace->host6.diocesedesobral100anos.com:40717 (ESTABLISHED)
java 22834 elasticsearch 168u IPv6 285317023 0t0 TCP cs24290:vrace->host6.diocesedesobral100anos.com:40720 (ESTABLISHED)
java 22834 elasticsearch 169u IPv6 285317025 0t0 TCP cs24290:vrace->host6.diocesedesobral100anos.com:40719 (ESTABLISHED)
java 22834 elasticsearch 170u IPv6 285317026 0t0 TCP cs24290:vrace->host6.diocesedesobral100anos.com:40721 (ESTABLISHED)
java 22834 elasticsearch 171u IPv6 285311847 0t0 TCP cs24290:42468->host6.diocesedesobral100anos.com:vrace (ESTABLISHED)
java 22834 elasticsearch 172u IPv6 285311848 0t0 TCP cs24290:42469->host6.diocesedesobral100anos.com:vrace (ESTABLISHED)
java 22834 elasticsearch 173u IPv6 285311850 0t0 TCP cs24290:42470->host6.diocesedesobral100anos.com:vrace (ESTABLISHED)
java 22834 elasticsearch 174u IPv6 285311851 0t0 TCP cs24290:42471->host6.diocesedesobral100anos.com:vrace (ESTABLISHED)
java 22834 elasticsearch 175u IPv6 285311852 0t0 TCP cs24290:42472->host6.diocesedesobral100anos.com:vrace (ESTABLISHED)
java 22834 elasticsearch 176u IPv6 285311853 0t0 TCP cs24290:42473->host6.diocesedesobral100anos.com:vrace (ESTABLISHED)
java 22834 elasticsearch 177u IPv6 285311854 0t0 TCP cs24290:42474->host6.diocesedesobral100anos.com:vrace (ESTABLISHED)
java 22834 elasticsearch 178u IPv6 285311855 0t0 TCP cs24290:42475->host6.diocesedesobral100anos.com:vrace (ESTABLISHED)
java 22834 elasticsearch 179u IPv6 285311856 0t0 TCP cs24290:42476->host6.diocesedesobral100anos.com:vrace (ESTABLISHED)
java 22834 elasticsearch 180u IPv6 285311857 0t0 TCP cs24290:42477->host6.diocesedesobral100anos.com:vrace (ESTABLISHED)
java 22834 elasticsearch 181u IPv6 285311858 0t0 TCP cs24290:42478->host6.diocesedesobral100anos.com:vrace (ESTABLISHED)
java 22834 elasticsearch 182u IPv6 285311859 0t0 TCP cs24290:42479->host6.diocesedesobral100anos.com:vrace (ESTABLISHED)
java 22834 elasticsearch 183u IPv6 285311860 0t0 TCP cs24290:42480->host6.diocesedesobral100anos.com:vrace (ESTABLISHED)

Why I see connection to host6.diocesedesobral100anos.com? Do you know about it?

I suspect this is your DNS service giving a reverse DNS lookup that you do not recognize. Instead, you should run:

$ lsof -a -n -P -p <pid>

This will skip reverse DNS lookup and mapping of port numbers to port names. Then you can see the IP address of the machine that your Elasticsearch instance is connected to (btw, vrace maps to port 9300 so that's legitimate). From here, you probably have some investigation to do on your end to find out why reverse DNS lookup is mapping that IP address to a hostname that you do not recognize. Note that that name does not resolve for us:

17:19:49 [jason@totoro:~] $ nslookup host6.diocesedesobral100anos.com 
Server:		10.10.1.1
Address:	10.10.1.1#53

** server can't find host6.diocesedesobral100anos.com: NXDOMAIN

17:20:05 [jason@totoro:~] 1 $ 

Thank you for fast answer! I will be investigating. BTW, in my case:

nslookup host6.diocesedesobral100anos.com
Server: 188.93.16.19
Address: 188.93.16.19#53

** server can't find host6.diocesedesobral100anos.com: NXDOMAIN

Did you run that from the server where Elasticsearch is running and lsof is giving you that output? Either way, the course of action is still to run lsof without doing reverse name lookups so that you can see the offending IP address.

Thank you for your help and assistance! A cause was with PTR on a side my hosting provider.

You're welcome.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.