[Bro] Questions about Bro's DNS Parser

Seth Hall hall.692 at osu.edu
Sat Feb 6 23:09:43 PST 2010

On Feb 7, 2010, at 2:00 AM, Vern Paxson wrote:

>> The problem is, even with the -C option, some packets that have error
>> codes such as "Server Failure" or "No Such Name Exists" are not being
>> logged in the DNS log file.
> Ah - this rings a bell.  I believe Seth has a fix for this problem  
> (and
> in general a reworked dns.bro), which would be great to incorporate  
> into
> the next Bro release.  I'll let him comment further.

I do have a dns-ext.bro script in my github repository.  I even  
recently fixed it so that it's actually functional now! :)


I don't know if this will correct the problem you're having or not,  
but it's worth a try.

It outputs logs like this in "full" mode...
ts	orig_h	orig_p	resp_h	resp_p	proto	query_type	query_class	query	 
transaction_id	ttl	flags	error	replies
1232039460.39003	5654	53	udp	A	C_INTERNET	 
ns1.net.ohio-state.edu	bf08	3600	{}	NOERROR	0	{,,}
1232039460.39091	1968	53	udp	A	C_INTERNET	 
ns2.net.ohio-state.edu	e04e	3600	{}	NOERROR	0	{,,}
1232039460.87	21468	53	udp	A	C_INTERNET	 
a744.g.akamai.net	2fd6	20	{}	NOERROR	0	{,}

and like this in "minimal" query-only mode...
ts	orig_h	query_type	query
1232039460.39003	A	ns1.net.ohio-state.edu
1232039460.39091	A	ns2.net.ohio-state.edu
1232039460.87	A	a744.g.akamai.net


Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

More information about the Bro mailing list