[Bro] Questions about Bro's DNS Parser

[daniela.miao at utoronto.ca]

Hi Seth, Vern,

Thanks very much, I'll try this code and let you know the outcome!  
Just out of curiosity though, is this considered a bug in the current  
release? Or is this something else?

Daniela

Quoting Seth Hall <hall.692 at osu.edu>:

>
> On Feb 7, 2010, at 2:00 AM, Vern Paxson wrote:
>
>>> The problem is, even with the -C option, some packets that have error
>>> codes such as "Server Failure" or "No Such Name Exists" are not being
>>> logged in the DNS log file.
>>
>> Ah - this rings a bell.  I believe Seth has a fix for this problem (and
>> in general a reworked dns.bro), which would be great to incorporate into
>> the next Bro release.  I'll let him comment further.
>
>
> I do have a dns-ext.bro script in my github repository.  I even
> recently fixed it so that it's actually functional now! :)
>
> http://github.com/sethhall/bro_scripts/blob/master/dns-ext.bro
>
> I don't know if this will correct the problem you're having or not, but
> it's worth a try.
>
> It outputs logs like this in "full" mode...
> ts	orig_h	orig_p	resp_h	resp_p	proto	query_type	query_class	query	transaction_id	ttl	flags	error	replies
> 1232039460.39003	161.58.49.99	5654	128.146.1.7	53	udp	A	C_INTERNET	ns1.net.ohio-state.edu	bf08	3600	{}	NOERROR	0	{128.146.48.7,   
> 128.146.1.21,
> 128.146.1.7}
> 1232039460.39091	161.58.49.99	1968	128.146.1.7	53	udp	A	C_INTERNET	ns2.net.ohio-state.edu	e04e	3600	{}	NOERROR	0	{128.146.48.7,   
> 128.146.1.21,
> 128.146.1.7}
> 1232039460.87	66.148.163.50	21468	140.254.37.68	53	udp	A	C_INTERNET	a744.g.akamai.net	2fd6	20	{}	NOERROR	0	{72.246.30.81,
> 72.246.30.73}
>
> and like this in "minimal" query-only mode...
> ts	orig_h	query_type	query
> 1232039460.39003	161.58.49.99	A	ns1.net.ohio-state.edu
> 1232039460.39091	161.58.49.99	A	ns2.net.ohio-state.edu
> 1232039460.87	66.148.163.50	A	a744.g.akamai.net
>
>   .Seth
>
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721