I am confused what the protocols/dns/detect-external-names.bro script is actually doing. The documentation reads
“This script detects names which are not within zones considered to be local but resolving to addresses considered local. The Site::local_zones variable must be set appropriately for this detection.”
What does ‘names which are not within zones considered to be local but resolving to addresses considered local’ mean? And how is it determined ?
Can you give an example which makes this clearer ?
It checks responses to DNS A record queries for an IP address in the answer that is considered local (based on the Site::local_nets variable), but the resolved DNS name (the query) is not in a local DNS zone (based on the Site::local_zones variable).
The IP and query locality tests in this script depend on both the Site::local_nets and Site::local_zones variables. If Site::local_zones is populated correctly, this script uses the Site::is_local_name function to see if the queried name belongs to a local DNS zone. Underneath its using a regular expression to match any subdomains of a zone specified in local_zones.
If the query doesn’t appear to be in a local zone, but the IP in the answer was, the script generates a Notice.
Exactly right. If you haven't already, I would say to just read the script. It's probably one of the most simple, but still useful scripts that ship with bro. Aside from some boilerplate that is common to any script that raises a notice and the event handling, the entire script is just a single if statement:
if ( Site::is_local_addr(a) && # referring to a local host
! Site::is_local_name(ans$query) ) # name isn't in a local zone.
# raise notice here
Am I correct in saying if xyz.com points to a local IP address but a.xyz.com resolves to an external IP address then the notice is generated.
So both site::local_nets and site::local_zones need to be defined externally in local.bro file using redef statements or does Bro automatically do by analysing traffic.
In addition what does defining the private IP address in the networks.cfg in bro/etc folder do ?
It’s actually kind of the other way around, a Notice would only be generated if a.xyz.com is not a local domain name (in other words “xyz.com” is not in Site::local_zones) however Bro sees a DNS query/response where that name resolved to a local IP address.
Think rogue DNS… if a Notice is generated by this script, you’re likely seeing an unauthorized DNS server, using a DNS zone you don’t own or manage, resolve A record queries to your local IP addresses.
Site::local_zones and Site::local_nets must be set manually, Bro won’t do this by analyzing traffic. However, if you populate networks.cfg, Bro will set Site::local_nets for you when it starts up.