DNS Unmatched msg/reply

Hi All,

I was looking into the bro weird log file, and finally decided to spare some time
tuning down the dns_unmatched_* messages in weird.log, as we usually get many
to them.

So to begin with, first I looked at the weird.log, grep-ed the very first entry for dns_unmatched_msg,
and then grep-ed everything in *.log corresponding to that uid:

$ less *.log | grep “CgOnko1s28TKjoaB07”
1512410399.813927 CgOnko1s28TKjoaB07 41438 53 udp dns 0.003451 42 2638 SF F T 0 Dd 1 70 22694 (empty) worker-2-18
1512410399.813927 CgOnko1s28TKjoaB07 41438 53 udp 22592 0.003411 dns1.udel.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 86400.000000 F
1512410399.817378 CgOnko1s28TKjoaB07 41438 53 udp 22592 - dns1.udel.edu - - - - 0 NOERROR T F F F 0 86400.000000 F
1512410399.817338 CgOnko1s28TKjoaB07 41438 53 DNS_RR_unknown_type 46 F worker-2-18
1512410399.817378 CgOnko1s28TKjoaB07 41438 53 dns_unmatched_reply - F worker-2-18
1512410409.813946 CgOnko1s28TKjoaB07 41438 53 dns_unmatched_msg - F worker-2-18

Looks like Bro seeing proper connection (SF) in conn.log enrty,
and dns.log logging the query and response, the second log entry above.
I am unsure of the third entry above, corresponding to dns.log.
Any reason, weird.log would log a dns_unmatched* log for this connection?

P.S: we have disabled the checksum offloading on the NIC.

Any thoughts?


It looks like you got two replies from a single query. This tends to happen frequently in DNS traffic unfortunately and I think it’s correct to log the second reply. The main problem that I’ve seen on my networks is the weirds that are being generated. I’m planning to get rid of dns_unmatched_msg and dns_unmatched_reply for the 2.6 release. They don’t actually tell you much and they both indicate far too common situations to be useful.


Ah, that makes sense. Thanks Seth!
We get lot of weirds too corresponding to dns_unmatched messages everyday.
Good to know that they would be going soon in next major release of Bro :slight_smile: