Project

General

Profile

Actions

Bug #2891

open

Empty rrname in DNS answer for non-recurse NS answers

Added by Kjell Tore Fossbakk almost 6 years ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello.

I have a scenario where the rrname is empty when replied in a norecurse DNS query.

It seems Suricata isn't able to output the correct rrname in the DNS answer for non-recurse. It outputs "<root>", which means empty. The problem is that i'm not able to easily see which DNS query generated the NS reply and get a serious overflood with "<root>" rrname's.

I can use the `flow_id`, but expected output would be to have the DNS queried rrname also in the DNS answer.

I run suricata-4.1.2

I have attached a sample PCAP. To reproduce:

$ dig +norecurse lulz.microsoft.com
...
14:11:58.942866 IP 192.168.1.112.49631 > 192.168.2.249.53: 39518 [1au] A? lulz.microsoft.com. (47)
14:11:58.944778 IP 192.168.2.249.53 > 192.168.1.112.49631: 39518 0/13/27 (830)

$ cat eve-dns.json
{"timestamp":"2019-03-20T14:11:58.942866+0100","flow_id":2034170534454034,"pcap_cnt":1,"event_type":"dns","src_ip":"192.168.1.112","src_port":49631,"dest_ip":"192.168.2.249","dest_port":53,"proto":"017","dns":{"type":"query","id":39518,"rrname":"lulz.microsoft.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"a.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"k.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"g.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"m.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"f.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"d.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"c.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"i.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"h.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"e.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"l.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"b.root-servers.net"}}
{"timestamp":"2019-03-20T14:11:58.944778+0100","flow_id":2034170534454034,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.2.249","src_port":53,"dest_ip":"192.168.1.112","dest_port":49631,"proto":"017","dns":{"type":"answer","id":39518,"flags":"8080","qr":true,"ra":true,"rcode":"NOERROR","rrname":"<root>","rrtype":"NS","ttl":20320,"rdata":"j.root-servers.net"}}

$ ./suricata --build-info
This is Suricata version 4.1.0-dev (rev b51e4a3)
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON TLS MAGIC 
SIMD support: none
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 4.8.5 20150623 (Red Hat 4.8.5-16), C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.28, linked against LibHTP v0.5.28Suricata Configuration:
  AF_PACKET support:                       yes
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no  Unix socket enabled:                     yes
  Detection enabled:                       yes  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  liblzma support:                         no
  hiredis support:                         no
  hiredis async with libevent:             no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes
  libluajit:                               no
  libgeoip:                                yes
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  Hyperscan support:                       no
  Libnet support:                          yes
  liblz4 support:                          no  Rust support:                            no
  Rust strict mode:                        no
  Rust debug mode:                         no
  Rust compiler:                           not set
  Rust cargo:                              not set  Install suricatasc:                      yes
  Install suricata-update:                 no  Profiling enabled:                       no
  Profiling locks enabled:                 noDevelopment settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                noGeneric build parameters:
  Installation prefix:                     /usr/local
  Configuration directory:                 /usr/local/etc/suricata/
  Log directory:                           /usr/local/var/log/suricata/  --prefix                                 /usr/local
  --sysconfdir                             /usr/local/etc
  --localstatedir                          /usr/local/var
  --datarootdir                            /usr/local/share  Host:                                    x86_64-unknown-linux-gnu
  Compiler:                                gcc (exec name) / gcc (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                no
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2
  PCAP_CFLAGS                               
  SECCFLAGS                       


Files

norecurse_dns_sanitized.pcap (1017 Bytes) norecurse_dns_sanitized.pcap Kjell Tore Fossbakk, 03/20/2019 02:05 PM
Actions #1

Updated by Kjell Tore Fossbakk almost 6 years ago

I enabled the line based log of DNS, same issue:

03/20/2019-14:11:58.942866 [**] Query TX 9a5e [**] lulz.microsoft.com [**] A [**] 192.168.1.112:49631 -> 192.168.2.249:53
03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] Recursion Desired [**] 192.168.2.249:53 -> 192.168.1.112:49631
03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] a.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631
03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] k.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631
03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] g.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631
03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] m.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631
03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] f.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631
03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] d.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631
03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] c.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631
03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] i.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631
03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] h.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631
03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] e.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631
03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] l.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631
03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] b.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631
03/20/2019-14:11:58.944778 [**] Response TX 9a5e [**] <root> [**] NS [**] TTL 20320 [**] j.root-servers.net [**] 192.168.2.249:53 -> 192.168.1.112:49631

Actions #2

Updated by Victor Julien almost 6 years ago

  • Assignee set to Jason Ish
Actions #3

Updated by Andreas Herz over 5 years ago

  • Target version set to TBD
Actions #4

Updated by Philippe Antoine about 1 year ago

Log is

  "dns": {
    "version": 2,
    "type": "answer",
    "id": 39518,
    "flags": "8080",
    "qr": true,
    "ra": true,
    "opcode": 0,
    "rrname": "lulz.microsoft.com",
    "rrtype": "A",
    "rcode": "NOERROR",
    "authorities": [
      {
        "rrname": "",
        "rrtype": "NS",
        "ttl": 85856,
        "rdata": "a.root-servers.net" 
      },
      {
        "rrname": "",
        "rrtype": "NS",
        "ttl": 85856,
        "rdata": "k.root-servers.net" 
      },
      {
        "rrname": "",
        "rrtype": "NS",
        "ttl": 85856,
        "rdata": "g.root-servers.net" 
      },
      {
        "rrname": "",
        "rrtype": "NS",
        "ttl": 85856,
        "rdata": "m.root-servers.net" 
      },
      {
        "rrname": "",
        "rrtype": "NS",
        "ttl": 85856,
        "rdata": "f.root-servers.net" 
      },
      {
        "rrname": "",
        "rrtype": "NS",
        "ttl": 85856,
        "rdata": "d.root-servers.net" 
      },
      {
        "rrname": "",
        "rrtype": "NS",
        "ttl": 85856,
        "rdata": "c.root-servers.net" 
      },
      {
        "rrname": "",
        "rrtype": "NS",
        "ttl": 85856,
        "rdata": "i.root-servers.net" 
      },
      {
        "rrname": "",
        "rrtype": "NS",
        "ttl": 85856,
        "rdata": "h.root-servers.net" 
      },
      {
        "rrname": "",
        "rrtype": "NS",
        "ttl": 85856,
        "rdata": "e.root-servers.net" 
      },
      {
        "rrname": "",
        "rrtype": "NS",
        "ttl": 85856,
        "rdata": "l.root-servers.net" 
      },
      {
        "rrname": "",
        "rrtype": "NS",
        "ttl": 85856,
        "rdata": "b.root-servers.net" 
      },
      {
        "rrname": "",
        "rrtype": "NS",
        "ttl": 85856,
        "rdata": "j.root-servers.net" 
      }
    ]
  }

What is expected instead ? Wireshark seems to give the same...

Actions

Also available in: Atom PDF