Actions
Bug #2891
openEmpty rrname in DNS answer for non-recurse NS answers
Affected Versions:
Effort:
Difficulty:
Label:
Description
Hello.
I have a scenario where the rrname is empty when replied in a norecurse DNS query.
It seems Suricata isn't able to output the correct rrname in the DNS answer for non-recurse. It outputs "<root>", which means empty. The problem is that i'm not able to easily see which DNS query generated the NS reply and get a serious overflood with "<root>" rrname's.
I can use the `flow_id`, but expected output would be to have the DNS queried rrname also in the DNS answer.
I run suricata-4.1.2
I have attached a sample PCAP. To reproduce:
$ dig +norecurse lulz.microsoft.com
...
14:11:58.942866 IP 192.168.1.112.49631 > 192.168.2.249.53: 39518 [1au] A? lulz.microsoft.com. (47)
14:11:58.944778 IP 192.168.2.249.53 > 192.168.1.112.49631: 39518 0/13/27 (830)
$ cat eve-dns.json
{"timestamp":"2019-03-20T14:11:58.942866+0100","flow_id":2034170534454034,"pcap_cnt":1,"event_type":"dns","src_ip":"192.168.1.112","src_port":49631,"dest_ip":"192.168.2.249","dest_port":53,"proto":"017","dns":{"type":"query","id":39518,"rrname":"lulz.microsoft.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"a.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"k.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"g.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"m.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"f.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"d.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"c.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"i.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"h.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"e.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"l.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"b.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"j.root-servers.net"}}
$ ./suricata --build-info
This is Suricata version 4.1.0-dev (rev b51e4a3)
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON TLS MAGIC
SIMD support: none
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 4.8.5 20150623 (Red Hat 4.8.5-16), C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.28, linked against LibHTP v0.5.28Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no Unix socket enabled: yes
Detection enabled: yes Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
liblzma support: no
hiredis support: no
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: yes
libluajit: no
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
Hyperscan support: no
Libnet support: yes
liblz4 support: no Rust support: no
Rust strict mode: no
Rust debug mode: no
Rust compiler: not set
Rust cargo: not set Install suricatasc: yes
Install suricata-update: no Profiling enabled: no
Profiling locks enabled: noDevelopment settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: noGeneric build parameters:
Installation prefix: /usr/local
Configuration directory: /usr/local/etc/suricata/
Log directory: /usr/local/var/log/suricata/ --prefix /usr/local
--sysconfdir /usr/local/etc
--localstatedir /usr/local/var
--datarootdir /usr/local/share Host: x86_64-unknown-linux-gnu
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: no
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2
PCAP_CFLAGS
SECCFLAGS
Files
Updated by Kjell Tore Fossbakk over 6 years ago
I enabled the line based log of DNS, same issue:
03/20/2019-14:11:58.942866 [**] Query TX 9a5e [**] lulz.microsoft.com [**] A [**] 192.168.1.112:49631 -> 192.168.2.249:53 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] Recursion Desired [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] a.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] k.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] g.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] m.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] f.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] d.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] c.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] i.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] h.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] e.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] l.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] b.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631 03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] j.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631
Updated by Philippe Antoine almost 2 years ago
Log is
"dns": {
"version": 2,
"type": "answer",
"id": 39518,
"flags": "8080",
"qr": true,
"ra": true,
"opcode": 0,
"rrname": "lulz.microsoft.com",
"rrtype": "A",
"rcode": "NOERROR",
"authorities": [
{
"rrname": "",
"rrtype": "NS",
"ttl": 85856,
"rdata": "a.root-servers.net"
},
{
"rrname": "",
"rrtype": "NS",
"ttl": 85856,
"rdata": "k.root-servers.net"
},
{
"rrname": "",
"rrtype": "NS",
"ttl": 85856,
"rdata": "g.root-servers.net"
},
{
"rrname": "",
"rrtype": "NS",
"ttl": 85856,
"rdata": "m.root-servers.net"
},
{
"rrname": "",
"rrtype": "NS",
"ttl": 85856,
"rdata": "f.root-servers.net"
},
{
"rrname": "",
"rrtype": "NS",
"ttl": 85856,
"rdata": "d.root-servers.net"
},
{
"rrname": "",
"rrtype": "NS",
"ttl": 85856,
"rdata": "c.root-servers.net"
},
{
"rrname": "",
"rrtype": "NS",
"ttl": 85856,
"rdata": "i.root-servers.net"
},
{
"rrname": "",
"rrtype": "NS",
"ttl": 85856,
"rdata": "h.root-servers.net"
},
{
"rrname": "",
"rrtype": "NS",
"ttl": 85856,
"rdata": "e.root-servers.net"
},
{
"rrname": "",
"rrtype": "NS",
"ttl": 85856,
"rdata": "l.root-servers.net"
},
{
"rrname": "",
"rrtype": "NS",
"ttl": 85856,
"rdata": "b.root-servers.net"
},
{
"rrname": "",
"rrtype": "NS",
"ttl": 85856,
"rdata": "j.root-servers.net"
}
]
}
What is expected instead ? Wireshark seems to give the same...
Actions