Actions
Feature #2087
closedIncrease verbosity of DNS logging - MX additional records
Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:
Description
In my sample DNS pcap, I noticed that Suricata 3.2.1 is not logging the "additional records" which in my example contain A records. The below is tcpdump showing a request for the MX record for google.com and the response from the server. The response (6/0/6) contains 6 answer records and 6 additional records.
tcpdump ... 192.168.170.8.32795 > 192.168.170.20.domain: [udp sum ok] 63343+ MX? google.com. (28) 192.168.170.20.domain > 192.168.170.8.32795: [udp sum ok] 63343 q: MX? google.com. 6/0/6 google.com. [9m12s] MX smtp4.google.com. 40, google.com. [9m12s] MX smtp5.google.com. 10, google.com. [9m12s] MX smtp6.google.com. 10, google.com. [9m12s] MX smtp1.google.com. 10, google.com. [9m12s] MX smtp2.google.com. 10, google.com. [9m12s] MX smtp3.google.com. 40 ar: smtp4.google.com. [10m] A 216.239.37.26, smtp5.google.com. [10m] A 64.233.167.25, smtp6.google.com. [10m] A 66.102.9.25, smtp1.google.com. [10m] A 216.239.57.25, smtp2.google.com. [10m] A 216.239.37.25, smtp3.google.com. [10m] A 216.239.57.26 (256) ...
Currently with Suricata 3.2.1, the same PCAP is logged as the below. Notice it doesn't contain the additional records.
03/30/2005-00:47:50.501268 [**] Query TX f76f [**] google.com [**] MX [**] 192.168.170.8:32795 -> 192.168.170.20:53 03/30/2005-00:47:51.333401 [**] Response TX f76f [**] Recursion Desired [**] 192.168.170.20:53 -> 192.168.170.8:32795 03/30/2005-00:47:51.333401 [**] Response TX f76f [**] google.com [**] MX [**] TTL 552 [**] smtp4.google.com [**] 192.168.170.20:53 -> 192.168.170.8:32795 03/30/2005-00:47:51.333401 [**] Response TX f76f [**] google.com [**] MX [**] TTL 552 [**] smtp5.google.com [**] 192.168.170.20:53 -> 192.168.170.8:32795 03/30/2005-00:47:51.333401 [**] Response TX f76f [**] google.com [**] MX [**] TTL 552 [**] smtp6.google.com [**] 192.168.170.20:53 -> 192.168.170.8:32795 03/30/2005-00:47:51.333401 [**] Response TX f76f [**] google.com [**] MX [**] TTL 552 [**] smtp1.google.com [**] 192.168.170.20:53 -> 192.168.170.8:32795 03/30/2005-00:47:51.333401 [**] Response TX f76f [**] google.com [**] MX [**] TTL 552 [**] smtp2.google.com [**] 192.168.170.20:53 -> 192.168.170.8:32795 03/30/2005-00:47:51.333401 [**] Response TX f76f [**] google.com [**] MX [**] TTL 552 [**] smtp3.google.com [**] 192.168.170.20:53 -> 192.168.170.8:32795
My Setup:
My DNS sample set is "dns.cap (libpcap) Various DNS lookups." from https://wiki.wireshark.org/SampleCaptures
My setup is an out of the box config from source (suricata-3.2.1) and I ensured DNS logging is enabled.
Updated by Andreas Herz over 7 years ago
- Assignee set to Anonymous
- Target version set to TBD
Updated by Victor Julien almost 7 years ago
- Status changed from New to Closed
- Assignee deleted (
Anonymous) - Target version deleted (
TBD)
The old dns.log is scheduled for removal: #2297
Actions