dns: tag each tx we get a reply for as replied

Also, detect and print when server says recursion is desired.
12 years ago · 9b736b6b9e
parent 2047e72cbe
commit 9b736b6b9e
4 changed files with 36 additions and 7 deletions
--- a/src/app-layer-dns-common.h
+++ b/src/app-layer-dns-common.h
@ -129,6 +129,7 @@ typedef struct DNSTransaction_ {
                                                         replied to. */
    uint8_t reply_lost;
    uint8_t no_such_name;                           /**< server said "no such name" */
+    uint8_t recursion_desired;                      /**< server said "recursion desired" */

    TAILQ_HEAD(, DNSQueryEntry_) query_list;        /**< list for query/queries */
    TAILQ_HEAD(, DNSAnswerEntry_) answer_list;      /**< list for answers */
--- a/src/app-layer-dns-tcp.c
+++ b/src/app-layer-dns-tcp.c
@ -439,6 +439,23 @@ static int DNSReponseParseData(Flow *f, DNSState *dns_state, const uint8_t *inpu
        }
    }

+    /* see if this is a "no such name" error */
+    if (ntohs(dns_header->flags) & 0x0003) {
+        SCLogDebug("no such name");
+        if (tx != NULL)
+            tx->no_such_name = 1;
+    }
+
+    if (ntohs(dns_header->flags) & 0x0080) {
+        SCLogDebug("recursion desired");
+        if (tx != NULL)
+            tx->recursion_desired = 1;
+    }
+
+    if (tx != NULL) {
+        tx->replied = 1;
+    }
+
 	SCReturnInt(1);
 bad_data:
 insufficient_data:
--- a/src/app-layer-dns-udp.c
+++ b/src/app-layer-dns-udp.c
@ -272,10 +272,18 @@ static int DNSUDPResponseParse(Flow *f, void *dstate,
    /* see if this is a "no such name" error */
    if (ntohs(dns_header->flags) & 0x0003) {
        SCLogDebug("no such name");
-
-        if (tx != NULL) {
+        if (tx != NULL)
            tx->no_such_name = 1;
-        }
+    }
+
+    if (ntohs(dns_header->flags) & 0x0080) {
+        SCLogDebug("recursion desired");
+        if (tx != NULL)
+            tx->recursion_desired = 1;
+    }
+
+    if (tx != NULL) {
+        tx->replied = 1;
    }

    SCReturnInt(1);
--- a/src/log-dnslog.c
+++ b/src/log-dnslog.c
@ -143,8 +143,10 @@ static void LogAnswer(LogDnsLogThread *aft, char *timebuf, char *srcip, char *ds
            "%s [**] Response TX %04x [**] ", timebuf, tx->tx_id);

    if (entry == NULL) {
-        MemBufferWriteString(aft->buffer,
-                "No Such Name");
+        if (tx->no_such_name)
+            MemBufferWriteString(aft->buffer, "No Such Name");
+        else if (tx->recursion_desired)
+            MemBufferWriteString(aft->buffer, "Recursion Desired");
    } else {
        /* query */
        if (entry->fqdn_len > 0) {
@ -284,9 +286,10 @@ static TmEcode LogDnsLogIPWrapper(ThreadVars *tv, Packet *p, void *data, PacketQ
            LogQuery(aft, timebuf, dstip, srcip, dp, sp, tx, query);
        }

-        if (tx->no_such_name) {
+        if (tx->no_such_name)
+            LogAnswer(aft, timebuf, srcip, dstip, sp, dp, tx, NULL);
+        if (tx->recursion_desired)
            LogAnswer(aft, timebuf, srcip, dstip, sp, dp, tx, NULL);
-        }

        DNSAnswerEntry *entry = NULL;
        TAILQ_FOREACH(entry, &tx->answer_list, next) {