[Bro-Dev] #368: Patch for Reverse DNS Lookups and DNS TTL support

Bro Tracker bro at tracker.icir.org
Thu Jan 27 05:10:41 PST 2011 

#368: Patch for Reverse DNS Lookups and DNS TTL support
--------------------------+-----------------------------
 Reporter:  thomas.other  |       Type:  Patch
   Status:  new           |   Priority:  Normal
Milestone:                |  Component:  Bro
  Version:  1.5.2         |   Keywords:  DNS TTL Resolve
--------------------------+-----------------------------
 In large networks with short DHCP lease times it may be advantageous to
 log DNS hostnames additionally to the IP of a given host.

 While support for forward DNS lookups is already built into the print
 statement in the scripting language, and the DNS manager already offers
 support for both types of queries, a new explicit resolve expression
 completes the set of DNS functions in bro.

 In order to obtain the most recent DNS zone record for a given host,
 instead of a previously received and locally cached value, the DNS manager
 must pay respect to the TTL value associated with a DNS zone record. The
 currently used resolver API (bind) offers support for TTL retrieval,
 therefore this value shall be passed on to the DNS manager where it is
 used to decide whether a new resolve request should be issued if the
 currently cached record has become stale.

 Two patches address these issues (based on SVN r7165):

   * resolve.patch:
                    * enables the use of the resolve() expression in bro
 scripts
                    * e.g. resolve("www.microsoft.com") or
 resolve(65.55.21.250)

   * dnsttls.patch:
                    * enables DNS to requery records that are older than
 the records TTL
                    * is controlled through configure flag --enable-dns-
 ttl, if omitted behavior is as if the patch wasn't applied


 Both patches have been thoroughly tested in productive environments. The
 implementation of the resolve expression declares several methods where a
 reproduction of the intended funtionality couldn't be verified a 100%. If
 a more experienced bro developer could have a look at following methods
 and provide a quick feedback it would be greatly appreciated:
 {{{
   - Expr.cc:   ResolveExpr::Simplify
   - Expr.cc:   ResolveExpr::Traverse
   - Expr.cc:   ResolveExpr::ExprDescribe
   - Expr.cc:   ResolveExpr::DoSerialize
   - Expr.cc:   ResolveExpr::DoUnserialize
 }}}
 Many thanks!

 Thomas

-- 
Ticket URL: <http://tracker.icir.org/bro/ticket/368>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list