[Bro-Dev] [JIRA] (BIT-1460) DPD query too large on multicast DNS

Vlad Grigorescu (JIRA) jira at bro-tracker.atlassian.net
Fri Sep 4 05:48:00 PDT 2015


    [ https://bro-tracker.atlassian.net/browse/BIT-1460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21941#comment-21941 ] 

Vlad Grigorescu commented on BIT-1460:
--------------------------------------

The issue here is src/analyzer/protocol/dns/DNS.cc lines 58-68:

{quote}
        // There is a great deal of non-DNS traffic that runs on port 53.
        // This should weed out most of it.
        if ( dns_max_queries > 0 && msg.qdcount > dns_max_queries )
                {
                analyzer->ProtocolViolation("DNS_Conn_count_too_large");
                analyzer->Weird("DNS_Conn_count_too_large");
                EndMessage(&msg);
                return 0;
                }
{quote}

topic/vladg/bit-1460 makes dns_max_queries redef-able, and bumps up the limit from 5 to 25.

Since multicast is so chatty, it might make sense to special case it and allow for a higher limit. That being said, I'm not sure there's much of a downside to setting the max a bit higher.

> DPD query too large on multicast DNS
> ------------------------------------
>
>                 Key: BIT-1460
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1460
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: BinPAC
>    Affects Versions: 2.4
>            Reporter: Michal Purzynski
>              Labels: analyzer
>         Attachments: dnsm.pcap
>
>
> Lots of
> 1440024833.696698	CZdljELZjJSLLQpxj	10.251.27.165	5353	224.0.0.251	5353	udp	DNS	DNS_Conn_count_too_large
> 1440024920.764444	CgVrZf4IQ0Tc04EfQe	10.251.29.250	5353	224.0.0.251	5353	udp	DNS	DNS_Conn_count_too_large
> 1440024920.764923	C4oQOB2GRRhDHW1i4g	fe80::6676:baff:feb5:772c	5353	ff02::fb	5353	udp	DNS	DNS_Conn_count_too_large
> 1440024981.016577	CsCwiq3qk2Uxjhomjj	fe80::1c8a:768d:e113:e39f	5353	ff02::fb	5353	udp	DNS	DNS_Conn_count_too_large
> 1440024981.015551	CA1nbO23vgbca2PBYi	10.251.28.176	5353	224.0.0.251	5353	udp	DNS	DNS_Conn_count_too_large
> 1440025022.962007	C5kYaG3BckRrVOot89	10.251.26.99	5353	224.0.0.251	5353	udp	DNS	DNS_Conn_count_too_large
> 1440025022.962049	CrkZft38lJ0YqGqxsl	fe80::2acf:e9ff:fe1a:9aed	5353	ff02::fb	5353	udp	DNS	DNS_Conn_count_too_large
> for just UDP and port 5353 - multicast DNS
> Pcaps attached.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-02-259#70102)


More information about the bro-dev mailing list