Project

General

Profile

Actions
Copy link

Feature #2087

closed

Increase verbosity of DNS logging - MX additional records

Added by Ask Kemp about 7 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

In my sample DNS pcap, I noticed that Suricata 3.2.1 is not logging the "additional records" which in my example contain A records. The below is tcpdump showing a request for the MX record for google.com and the response from the server. The response (6/0/6) contains 6 answer records and 6 additional records.

tcpdump 
...
    192.168.170.8.32795 > 192.168.170.20.domain: [udp sum ok] 63343+ MX? google.com. (28)
    192.168.170.20.domain > 192.168.170.8.32795: [udp sum ok] 63343 q: MX? google.com. 6/0/6 google.com. [9m12s] MX smtp4.google.com. 40, google.com. [9m12s] MX smtp5.google.com. 10, google.com. [9m12s] MX smtp6.google.com. 10, google.com. [9m12s] MX smtp1.google.com. 10, google.com. [9m12s] MX smtp2.google.com. 10, google.com. [9m12s] MX smtp3.google.com. 40 ar: smtp4.google.com. [10m] A 216.239.37.26, smtp5.google.com. [10m] A 64.233.167.25, smtp6.google.com. [10m] A 66.102.9.25, smtp1.google.com. [10m] A 216.239.57.25, smtp2.google.com. [10m] A 216.239.37.25, smtp3.google.com. [10m] A 216.239.57.26 (256)
...

Currently with Suricata 3.2.1, the same PCAP is logged as the below. Notice it doesn't contain the additional records.

03/30/2005-00:47:50.501268 [**] Query TX f76f [**] google.com [**] MX [**] 192.168.170.8:32795 -> 192.168.170.20:53
03/30/2005-00:47:51.333401 [**] Response TX f76f [**] Recursion Desired [**] 192.168.170.20:53 -> 192.168.170.8:32795
03/30/2005-00:47:51.333401 [**] Response TX f76f [**] google.com [**] MX [**] TTL 552 [**] smtp4.google.com [**] 192.168.170.20:53 -> 192.168.170.8:32795
03/30/2005-00:47:51.333401 [**] Response TX f76f [**] google.com [**] MX [**] TTL 552 [**] smtp5.google.com [**] 192.168.170.20:53 -> 192.168.170.8:32795
03/30/2005-00:47:51.333401 [**] Response TX f76f [**] google.com [**] MX [**] TTL 552 [**] smtp6.google.com [**] 192.168.170.20:53 -> 192.168.170.8:32795
03/30/2005-00:47:51.333401 [**] Response TX f76f [**] google.com [**] MX [**] TTL 552 [**] smtp1.google.com [**] 192.168.170.20:53 -> 192.168.170.8:32795
03/30/2005-00:47:51.333401 [**] Response TX f76f [**] google.com [**] MX [**] TTL 552 [**] smtp2.google.com [**] 192.168.170.20:53 -> 192.168.170.8:32795
03/30/2005-00:47:51.333401 [**] Response TX f76f [**] google.com [**] MX [**] TTL 552 [**] smtp3.google.com [**] 192.168.170.20:53 -> 192.168.170.8:32795

My Setup:
My DNS sample set is "dns.cap (libpcap) Various DNS lookups." from https://wiki.wireshark.org/SampleCaptures

My setup is an out of the box config from source (suricata-3.2.1) and I ensured DNS logging is enabled.

Actions
Copy link
 #1

Updated by Andreas Herz almost 7 years ago

  • Assignee set to Anonymous
  • Target version set to TBD
Actions
Copy link
 #2

Updated by Victor Julien about 6 years ago

  • Status changed from New to Closed
  • Assignee deleted (Anonymous)
  • Target version deleted (TBD)

The old dns.log is scheduled for removal: #2297

Actions
Copy link

Also available in: Atom PDF