dns: create transaction even if z-bit was set

It appears that DNS servers will still process a DNS request even if the z-bit is set, our parser will fail the transaction. So create the transaction, but still set the event. Ticket #4924
4 years ago · fcbdc30426
parent 4972021cd4
commit fcbdc30426
2 changed files with 16 additions and 12 deletions
--- a/rust/src/dns/dns.rs
+++ b/rust/src/dns/dns.rs
@ -393,15 +393,17 @@ impl DNSState {
                    return false;
                }

-                if request.header.flags & 0x0040 != 0 {
-                    SCLogDebug!("Z-flag set on DNS response");
-                    self.set_event(DNSEvent::ZFlagSet);
-                    return false;
-                }
+                let z_flag = request.header.flags & 0x0040 != 0;

                let mut tx = self.new_tx();
                tx.request = Some(request);
                self.transactions.push(tx);
+
+                if z_flag {
+                    SCLogDebug!("Z-flag set on DNS response");
+                    self.set_event(DNSEvent::ZFlagSet);
+                }
+
                return true;
            }
            Err(Err::Incomplete(_)) => {
@ -430,11 +432,7 @@ impl DNSState {
                    self.set_event(DNSEvent::NotResponse);
                }

-                if response.header.flags & 0x0040 != 0 {
-                    SCLogDebug!("Z-flag set on DNS response");
-                    self.set_event(DNSEvent::ZFlagSet);
-                    return false;
-                }
+                let z_flag = response.header.flags & 0x0040 != 0;

                let mut tx = self.new_tx();
                if let Some(ref mut config) = &mut self.config {
@ -444,6 +442,12 @@ impl DNSState {
                }
                tx.response = Some(response);
                self.transactions.push(tx);
+
+                if z_flag {
+                    SCLogDebug!("Z-flag set on DNS response");
+                    self.set_event(DNSEvent::ZFlagSet);
+                }
+
                return true;
            }
            Err(Err::Incomplete(_)) => {
--- a/src/detect-dns-query.c
+++ b/src/detect-dns-query.c
@ -829,8 +829,8 @@ static int DetectDnsQueryTest05(void)
    FLOWLOCK_WRLOCK(&f);
    r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOCLIENT,
                            buf2, sizeof(buf2));
-    if (r != -1) {
-        printf("toserver client 1 returned %" PRId32 ", expected -1\n", r);
+    if (r != 0) {
+        printf("toserver client 1 returned %" PRId32 ", expected 0\n", r);
        FLOWLOCK_UNLOCK(&f);
        FAIL;
    }