Actions
Feature #1439
closedRelation between CNAME and A records in DNS
Effort:
Difficulty:
Label:
Description
Now the CNAME and A records are stored as separate events, and we won't know the cname of which domain. It would be great if this could be tracked. Guess this holds true for MX records as well.
Updated by David Cannings almost 9 years ago
- Assignee set to David Cannings
Can you take a look at the changes in version 2.1beta4 and see if they address your feature?
For an example see below. I looked up www.geocities.com, which is a cname for geocities.com. The DNS server supplied additional RRs in the response which included the A record. All of them can be tied together by the same DNS transaction ID and also the chain of rrname -> rdata -> rrname -> rdata.
For example in the EVE log below we see:
- rrname: www.geocities.com, rdata: geocities.com (rrtype CNAME)
- rrname: geocities.com, rdata: 98.137.201.117 (rrtype A)
{"timestamp":"2015-02-24T16:53:49.699135+0000","flow_id":21513856,"pcap_cnt":1,"event_type":"dns","src_ip":"192.168.40.10","src_port":48680,"dest_ip":"192.168.40.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17709,"rrname":"www.geocities.com","rrtype":"A","tx_id":0}}
{"timestamp":"2015-02-24T16:53:49.699135+0000","flow_id":21513856,"pcap_cnt":1,"event_type":"dns","src_ip":"192.168.40.10","src_port":48680,"dest_ip":"192.168.40.2","dest_port":53,"proto":"UDP","dns":{"type":"answer","id":17709,"rcode":"NOERROR","rrname":"www.geocities.com","rrtype":"CNAME","ttl":5,"rdata":"geocities.com"}}
{"timestamp":"2015-02-24T16:53:49.699135+0000","flow_id":21513856,"pcap_cnt":1,"event_type":"dns","src_ip":"192.168.40.10","src_port":48680,"dest_ip":"192.168.40.2","dest_port":53,"proto":"UDP","dns":{"type":"answer","id":17709,"rcode":"NOERROR","rrname":"geocities.com","rrtype":"A","ttl":5,"rdata":"98.137.201.117"}}
Updated by Lucky b56 over 8 years ago
I someone missed the updates. Thanks, this works.
Updated by Lucky b56 over 8 years ago
I somehow missed the updates. Thanks, this works.
Actions