Actions
Bug #2891
openEmpty rrname in DNS answer for non-recurse NS answers
Affected Versions:
Effort:
Difficulty:
Label:
Description
Hello.
I have a scenario where the rrname is empty when replied in a norecurse DNS query.
It seems Suricata isn't able to output the correct rrname in the DNS answer for non-recurse. It outputs "<root>", which means empty. The problem is that i'm not able to easily see which DNS query generated the NS reply and get a serious overflood with "<root>" rrname's.
I can use the `flow_id`, but expected output would be to have the DNS queried rrname also in the DNS answer.
I run suricata-4.1.2
I have attached a sample PCAP. To reproduce:
$ dig +norecurse lulz.microsoft.com ... 14:11:58.942866 IP 192.168.1.112.49631 > 192.168.2.249.53: 39518 [1au] A? lulz.microsoft.com. (47) 14:11:58.944778 IP 192.168.2.249.53 > 192.168.1.112.49631: 39518 0/13/27 (830) $ cat eve-dns.json {"timestamp":"2019-03-20T14:11:58.942866+0100","flow_id":2034170534454034,"pcap_cnt":1,"event_type":"dns","src_ip":"192.168.1.112","src_port":49631,"dest_ip":"192.168.2.249","dest_port":53,"proto":"017","dns":{"type":"query","id":39518,"rrname":"lulz.microsoft.com","rrtype":"A","tx_id":0}} {"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"a.root-servers.net"}} {"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"k.root-servers.net"}} {"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"g.root-servers.net"}} {"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"m.root-servers.net"}} {"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"f.root-servers.net"}} {"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"d.root-servers.net"}} {"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"c.root-servers.net"}} {"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"i.root-servers.net"}} {"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"h.root-servers.net"}} {"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"e.root-servers.net"}} {"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"l.root-servers.net"}} {"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"b.root-servers.net"}} {"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"j.root-servers.net"}} $ ./suricata --build-info This is Suricata version 4.1.0-dev (rev b51e4a3) Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON TLS MAGIC SIMD support: none Atomic intrisics: 1 2 4 8 byte(s) 64-bits, Little-endian architecture GCC version 4.8.5 20150623 (Red Hat 4.8.5-16), C version 199901 compiled with _FORTIFY_SOURCE=0 L1 cache line size (CLS)=64 thread local storage method: __thread compiled with LibHTP v0.5.28, linked against LibHTP v0.5.28Suricata Configuration: AF_PACKET support: yes eBPF support: no XDP support: no PF_RING support: no NFQueue support: no NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no WinDivert enabled: no Unix socket enabled: yes Detection enabled: yes Libmagic support: yes libnss support: yes libnspr support: yes libjansson support: yes liblzma support: no hiredis support: no hiredis async with libevent: no Prelude support: no PCRE jit: yes LUA support: yes libluajit: no libgeoip: yes Non-bundled htp: no Old barnyard2 support: no Hyperscan support: no Libnet support: yes liblz4 support: no Rust support: no Rust strict mode: no Rust debug mode: no Rust compiler: not set Rust cargo: not set Install suricatasc: yes Install suricata-update: no Profiling enabled: no Profiling locks enabled: noDevelopment settings: Coccinelle / spatch: no Unit tests enabled: no Debug output enabled: no Debug validation enabled: noGeneric build parameters: Installation prefix: /usr/local Configuration directory: /usr/local/etc/suricata/ Log directory: /usr/local/var/log/suricata/ --prefix /usr/local --sysconfdir /usr/local/etc --localstatedir /usr/local/var --datarootdir /usr/local/share Host: x86_64-unknown-linux-gnu Compiler: gcc (exec name) / gcc (real) GCC Protect enabled: no GCC march native enabled: no GCC Profile enabled: no Position Independent Executable enabled: no CFLAGS -g -O2 PCAP_CFLAGS SECCFLAGS
Files
Updated by Kjell Tore Fossbakk over 5 years ago
I enabled the line based log of DNS, same issue:
03/20/2019-14:11:58.942866 [**] Query TX 9a5e [**] lulz.microsoft.com [**] A [**] 192.168.1.112:49631 -> 192.168.2.249:53 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] Recursion Desired [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] a.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] k.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] g.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] m.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] f.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] d.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] c.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] i.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] h.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] e.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] l.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] b.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] j.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631
Updated by Philippe Antoine about 1 year ago
Log is
"dns": { "version": 2, "type": "answer", "id": 39518, "flags": "8080", "qr": true, "ra": true, "opcode": 0, "rrname": "lulz.microsoft.com", "rrtype": "A", "rcode": "NOERROR", "authorities": [ { "rrname": "", "rrtype": "NS", "ttl": 85856, "rdata": "a.root-servers.net" }, { "rrname": "", "rrtype": "NS", "ttl": 85856, "rdata": "k.root-servers.net" }, { "rrname": "", "rrtype": "NS", "ttl": 85856, "rdata": "g.root-servers.net" }, { "rrname": "", "rrtype": "NS", "ttl": 85856, "rdata": "m.root-servers.net" }, { "rrname": "", "rrtype": "NS", "ttl": 85856, "rdata": "f.root-servers.net" }, { "rrname": "", "rrtype": "NS", "ttl": 85856, "rdata": "d.root-servers.net" }, { "rrname": "", "rrtype": "NS", "ttl": 85856, "rdata": "c.root-servers.net" }, { "rrname": "", "rrtype": "NS", "ttl": 85856, "rdata": "i.root-servers.net" }, { "rrname": "", "rrtype": "NS", "ttl": 85856, "rdata": "h.root-servers.net" }, { "rrname": "", "rrtype": "NS", "ttl": 85856, "rdata": "e.root-servers.net" }, { "rrname": "", "rrtype": "NS", "ttl": 85856, "rdata": "l.root-servers.net" }, { "rrname": "", "rrtype": "NS", "ttl": 85856, "rdata": "b.root-servers.net" }, { "rrname": "", "rrtype": "NS", "ttl": 85856, "rdata": "j.root-servers.net" } ] }
What is expected instead ? Wireshark seems to give the same...
Actions