[Bro] DNS timeout -> memory usage?
Siwek, Jonathan Luke
jsiwek at illinois.edu
Mon Feb 24 08:17:07 PST 2014
On Feb 24, 2014, at 9:00 AM, Aaron Gee-Clough <lists at g-clef.net> wrote:
> While I'm happy that this seems to have fixed a problem, I'm wondering
> what other impact that change has had. Obviously, if the DNS server
> starts responding slowly bro will see the request and response as
> separate sessions...I think I can live with that. Is that the only
> impact of changing the dns_session_timeout variable?
I’d expect another impact besides decreasing “accuracy” of dns.log to be increased entries in conn.log due to some DNS replies falling outside the timeout threshold. Also, I think too low of a threshold could also have some performance cost due to increased amount of events being raised which end up expiring sessions too early.
You may be interested in recent commits in Bro’s git repository to the DNS scripts that (for one thing) attempt to put more well-defined bounds on how much state they hold on to. It could be your traffic hits certain corner cases that, in Bro 2.2 and earlier, could cause the DNS script’s state management logic to do poorly. If that’s the case, I can see setting a low value for “dns_session_timeout” being a workaround because it may coincidentally force state to be expired more frequently.
More information about the Bro