[Bro-Dev] [JIRA] (BIT-1064) DNS Analyzer does not correctly log NXDOMAIN answers

Pietro Delsante (JIRA) jira at bro-tracker.atlassian.net
Thu Aug 22 08:46:31 PDT 2013


     [ https://bro-tracker.atlassian.net/browse/BIT-1064?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Pietro Delsante updated BIT-1064:
---------------------------------

    Attachment: nxdomain.pcap

PCAP file containing a request and response of a nonexistent domain, the server is answering with RCODE=3 (NXDOMAIN).

This happens both with my internal DNS server and with Google's 8.8.8.8.
                
> DNS Analyzer does not correctly log NXDOMAIN answers
> ----------------------------------------------------
>
>                 Key: BIT-1064
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1064
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.1
>         Environment: Bro 2.1 running on SecurityOnion 12.04-2
>            Reporter: Pietro Delsante
>              Labels: dns, nxdomain
>         Attachments: nxdomain.pcap, nxdomain_pcap.png
>
>
> Hi, I am running Bro 2.1 on Security Onion 12.04-2 updated to the latest available packages.
> It looks like Bro's DNS analyzer is not assigning the correct rcode and rcode_name in the output log when the query is of type A and the server answers with a rcode=3 (NXDOMAIN): instead, it puts a dash "-" in both fields, like this:
> {noformat}
> 1377179281.104465|prGZzGRr1M4|192.168.X.Y|45406|8.8.8.8|53|udp|64928|www.this-domain-does-not-exist.it|1|C_INTERNET|1|A|-|-|F|F|T|F|0|-|-
> {noformat}
> that is, exploded:
> {noformat}
> ts:             1377179281.104465
> uid:            prGZzGRr1M4
> id:             192.168.X.Y|45406|8.8.8.8|53
> proto:          udp
> trans_id:       64928
> query:          www.this-domain-does-not-exist.it
> qclass:         1
> qclass_name:    C_INTERNET
> qtype:          1
> qtype_name:     A
> rcode:          -
> rcode_name:     -
> AA:             F
> TC:             F
> RD:             T
> RA:             F
> Z:              0
> answers:        -
> TTLs:           -
> {noformat}
> The only case in which I see those values set correctly (rcode: 3, rcode_name: NXDOMAIN) is when Bro is logging a PTR query:
> {noformat}
> 1377079094.159646|XRRCSUItHlj|192.168.X.Y|39362|8.8.8.8|53|udp|54306|1.0.168.192.in-addr.arpa|1|C_INTERNET|12|PTR|3|NXDOMAIN|F|F|T|F|0|-|-
> {noformat}
> The attachment is a screenshot from a wireshark capture of the DNS query showing that the server is actually answering with NXDOMAIN.
> The only change I made to the default configuration was to enable the extraction of executable files from HTTP and SMTP fluxes, so this should have nothing to do with this issue.
> Should you need any more info about my setup, please let me know.
> Thanks,
> Pietro

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


More information about the bro-dev mailing list