Project

General

Profile

Actions

Feature #3952

open

mDNS protocol implementation

Added by Shivani Bhardwaj over 4 years ago. Updated 6 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:
Protocol

Description

Support for mDNS protocol in Suricata in Rust.


Related issues 6 (4 open2 closed)

Related to Suricata - Task #4151: Research: New protocol supportNewCommunity TicketActions
Related to Suricata - Feature #5773: Support DNS over HTTPS (DoH)ClosedPhilippe AntoineActions
Related to Suricata - Feature #6453: Support DNS over TLSNewOISF DevActions
Related to Suricata - Bug #6281: dns: structure of query differs between "alert" and "dns" event typesClosedJason IshActions
Blocks Suricata - Task #7118: tracking: add support for new protocolsAssignedVictor JulienActions
Blocks Suricata - Story #7119: protocols: protocol additionsNewVictor JulienActions
Actions #1

Updated by Victor Julien about 4 years ago

  • Label Protocol added
Actions #2

Updated by Philippe Antoine almost 2 years ago

mDNS is just DNS on another port, right ?

Actions #3

Updated by Philippe Antoine about 1 year ago

  • Related to Task #4151: Research: New protocol support added
Actions #4

Updated by Victor Julien about 1 year ago

  • Status changed from New to Assigned
  • Assignee set to Jason Ish
  • Target version set to TBD
Actions #5

Updated by Victor Julien about 1 year ago

Actions #6

Updated by Victor Julien about 1 year ago

Actions #7

Updated by Victor Julien about 1 year ago

  • Target version changed from TBD to 8.0.0-beta1
Actions #8

Updated by Victor Julien 7 months ago

I've looked a bit into this, and so far it seems that it's indeed just dns over 5353 so far. Adding 5353 to the UDP DNS ports in the yaml is enough to get logging going.

To me the main question now is: is this enough, or should we distinguish between dns and mdns? It's fairly trivial to reregister the dns parsers as mdns, so they get their own log type. This would require dns keywords to be updated as well.

On the other hand, we can also just annotate regular dns records as mdns by looking at the ports and/or dest address.

Actions #9

Updated by Victor Julien 7 months ago

One thing to consider if that existing rules won't expect mdns/5353 to match app proto dns.

Actions #10

Updated by Victor Julien 7 months ago

Related: there are several other DNS-like protocols. Netbios name service uses DNS structure but with a special name encoding. There is link local mnds too, using port 5355.

Actions #11

Updated by Jason Ish 7 months ago

  • Related to Bug #6281: dns: structure of query differs between "alert" and "dns" event types added
Actions #12

Updated by Jason Ish 7 months ago

Related to #6281. MDNS actually uses the ability to have multiple queries in the request which is one of the logging issues #6281 addresses.

I wonder if its safe enough to identify DNS on port 5353 as mdns? If we need a further restriction, multicast and port 5353.

Actions #13

Updated by Victor Julien 6 months ago

Conclusion after some discussion:

dns, doh, dns over tls should be grouped together as app proto dns
mdns and it's variants should be separate

Actions #14

Updated by Victor Julien 6 months ago

  • Blocks Task #7118: tracking: add support for new protocols added
Actions #15

Updated by Victor Julien 6 months ago

  • Blocks Story #7119: protocols: protocol additions added
Actions

Also available in: Atom PDF