[Bro-Dev] [JIRA] (BIT-1064) DNS Analyzer does not correctly log NXDOMAIN answers

Pietro Delsante (JIRA) jira at bro-tracker.atlassian.net
Thu Aug 22 08:08:31 PDT 2013 

Pietro Delsante created BIT-1064:
------------------------------------

             Summary: DNS Analyzer does not correctly log NXDOMAIN answers
                 Key: BIT-1064
                 URL: https://bro-tracker.atlassian.net/browse/BIT-1064
             Project: Bro Issue Tracker
          Issue Type: Problem
          Components: Bro
    Affects Versions: 2.1
         Environment: Bro 2.1 running on SecurityOnion 12.04-2
            Reporter: Pietro Delsante
         Attachments: nxdomain_pcap.png

Hi, I am running Bro 2.1 on Security Onion 12.04-2 updated to the latest available packages.

It looks like Bro's DNS analyzer is not assigning the correct rcode and rcode_name in the output log when the query is of type A and the server answers with a rcode=3 (NXDOMAIN): instead, it puts a dash "-" in both fields, like this:

{noformat}
1377179281.104465|prGZzGRr1M4|192.168.X.Y|45406|8.8.8.8|53|udp|64928|www.this-domain-does-not-exist.it|1|C_INTERNET|1|A|-|-|F|F|T|F|0|-|-
{noformat}

that is, exploded:

{noformat}
ts:             1377179281.104465
uid:            prGZzGRr1M4
id:             192.168.X.Y|45406|8.8.8.8|53
proto:          udp
trans_id:       64928
query:          www.this-domain-does-not-exist.it
qclass:         1
qclass_name:    C_INTERNET
qtype:          1
qtype_name:     A
rcode:          -
rcode_name:     -
AA:             F
TC:             F
RD:             T
RA:             F
Z:              0
answers:        -
TTLs:           -
{noformat}

The only case in which I see those values set correctly (rcode: 3, rcode_name: NXDOMAIN) is when Bro is logging a PTR query:

{noformat}
1377079094.159646|XRRCSUItHlj|192.168.X.Y|39362|8.8.8.8|53|udp|54306|1.0.168.192.in-addr.arpa|1|C_INTERNET|12|PTR|3|NXDOMAIN|F|F|T|F|0|-|-
{noformat}

The attachment is a screenshot from a wireshark capture of the DNS query showing that the server is actually answering with NXDOMAIN.

The only change I made to the default configuration was to enable the extraction of executable files from HTTP and SMTP fluxes, so this should have nothing to do with this issue.

Should you need any more info about my setup, please let me know.

Thanks,
Pietro

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the bro-dev mailing list