Every day at a specific time there is a denial DNS traffic in tcpdump for this DNS traffic.
03:10:01.188267 IP hostname.21355 > h.root-servers.net.domain: 52619% [1au] NS? . (28)
03:10:01.188294 IP hostname.19992 > e.root-servers.net.domain: 33364% [1au] NS? . (28)
03:10:01.564808 IP hostname.27167 > e.root-servers.net.domain: 17614% [1au] NS? . (28)
03:10:01.564845 IP hostname.47993 > h.root-servers.net.domain: 39462% [1au] NS? . (28)
03:10:01.941076 IP hostname.33760 > j.root-servers.net.domain: 56169% [1au] NS? . (28)
03:10:01.941446 IP hostname.7920 > h.root-servers.net.domain: 54000% [1au] NS? . (28)
03:10:02.317699 IP hostname.4292 > j.root-servers.net.domain: 11824% [1au] NS? . (28)
03:10:02.694087 IP hostname.55797 > c.root-servers.net.domain: 20468% [1au] NS? . (28)
03:10:02.694383 IP hostname.29552 > h.root-servers.net.domain: 62991% [1au] NS? . (28)
03:10:03.070598 IP hostname.42961 > c.root-servers.net.domain: 47966% [1au] NS? . (28)
03:10:03.447014 IP hostname.23176 > d.root-servers.net.domain: 61501% [1au] NS? . (28)
03:10:03.447366 IP hostname.14098 > b-2016.b.root-servers.net.domain: 24736% [1au] NS? . (28)
But we could not find the source process even by scheduling continuous netstat -tulpne in a while loop without sleep. The connection is failing immediately and hence not captured in netstat I suppose. Even the PID is active only for a fraction of seconds.
Is there any way of finding the source process that initiates this connection?
These queries are called priming queries. They are used by DNS resolvers to update the list and IP addresses of the DNS root servers. You likely have a DNS server, such as BIND or Unbound, running which uses these queries to keep the cache updated.