Feature #3952
openmDNS protocol implementation
Description
Support for mDNS protocol in Suricata in Rust.
Updated by Philippe Antoine almost 2 years ago
mDNS is just DNS on another port, right ?
Updated by Philippe Antoine 11 months ago
- Related to Task #4151: Research: New protocol support added
Updated by Victor Julien 10 months ago
- Status changed from New to Assigned
- Assignee set to Jason Ish
- Target version set to TBD
Updated by Victor Julien 10 months ago
- Related to Feature #5773: Support DNS over HTTPS (DoH) added
Updated by Victor Julien 10 months ago
- Related to Feature #6453: Support DNS over TLS added
Updated by Victor Julien 10 months ago
- Target version changed from TBD to 8.0.0-beta1
Updated by Victor Julien 4 months ago
I've looked a bit into this, and so far it seems that it's indeed just dns over 5353 so far. Adding 5353 to the UDP DNS ports in the yaml is enough to get logging going.
To me the main question now is: is this enough, or should we distinguish between dns and mdns? It's fairly trivial to reregister the dns parsers as mdns, so they get their own log type. This would require dns keywords to be updated as well.
On the other hand, we can also just annotate regular dns records as mdns by looking at the ports and/or dest address.
Updated by Victor Julien 4 months ago
One thing to consider if that existing rules won't expect mdns/5353 to match app proto dns.
Updated by Victor Julien 4 months ago
Related: there are several other DNS-like protocols. Netbios name service uses DNS structure but with a special name encoding. There is link local mnds too, using port 5355.
Updated by Victor Julien 4 months ago
Conclusion after some discussion:
dns, doh, dns over tls should be grouped together as app proto dns
mdns and it's variants should be separate
Updated by Victor Julien 4 months ago
- Blocks Task #7118: tracking: add support for new protocols added
Updated by Victor Julien 4 months ago
- Blocks Story #7119: protocols: protocol additions added