Questions about Bro's DNS Parser

Dear Mr. Paxton/Bro contributors,

My name is Daniela Miao, and I am currently a 3rd year Computer
Engineering Student at the University of Toronto. I have a couple of
questions regarding bro's current DNS parser, I hope this will not
take up too much of your time.

Being currently involved in a Bell Canada research project, I am
responsible for analyzing some DNS data traffic, captured in a pcap
file. I discovered Bro's DNS parser, which is rather robust, and
performs the exact operations that I need. However, I've run into some
problems with certain packets that contain DNS responses with errors.
I'm not sure what the exact problem is, but it seems that the bro
parser is having trouble recognizing all the returned error codes
(indicating "malformed packets", "no such name exists", "server
failure" etc.) I have attached a fragment of the log file to
illustrate my point, as you can see, all the responses containing
errors simply turn into "A requested domain name")

I suspect that I have to customize the parser a bit, so that it can
recognize all the error codes. However, since I'm not familiar with
the source code, I wanted to get some advice from you regarding this
problem, before I blindly dive in.

I apologize if you are not the correct person I should be contacting.
If you could provide some resources/other contacts from whom I can
gain some direction, or advice, I would be very thankful.

Thank you for your time. I hope you have a nice day.

Sincerely,

Daniela

dns.log (2.24 KB)

Are you using the binpac based parser? I was just running into trouble last night with error codes being returned incorrectly from the binpac parser. The hand written parser was working fine for me though.

   .Seth

Hey Seth,

Thanks for your help. However, I wasn't even aware of the binpac parser till you just mentioned it, so I think I am already using the hand written one.

Just in case, this is the command I'm using:

bro -r test.pcap dns

I believe this is correct?

Thanks,

Daniela

Quoting Seth Hall <hall.692@osu.edu>:

Yes, that should be correct. Can you share the tracefile?

   .Seth

Hey Seth,

Sorry about the delay in response, there is some confidentiality issue involved so I had to first get the okay from my supervising professor.

Anyhow, I have attached a sample capture from the trace file, which contains DNS packets with returned errors (some response packets). I also took a look at dns.bro, if I'm not mistaken the parser does not have any error code interpreting feature, it seems all to be group into Weird::WEIRD_FILE. I suspect I'll just have to redefine that object.

Thank you very much for your help,

Daniela

Quoting Seth Hall <hall.692@osu.edu>:

p50.pcap (6.31 KB)

Anyhow, I have attached a sample capture from the trace file, which
contains DNS packets with returned errors (some response packets). I
also took a look at dns.bro, if I'm not mistaken the parser does not
have any error code interpreting feature, it seems all to be group
into Weird::WEIRD_FILE.

Do you mean errors based on the analyzer's parsing failing, or errors
indicated via the DNS protocol? The latter are logged in the DNS log file.
For the former, when I run on the file all I get in the weird file is IP
checksums. If I use -C to ignore these then I get a bunch of DNS log file
output that seems reasonable, so I'm not immediately seeing the problem.

    Vern

Hi Vern,

Thanks for your time. I was actually running into the ip checksum errors before, but then I discovered the -C option.

The problem is, even with the -C option, some packets that have error codes such as "Server Failure" or "No Such Name Exists" are not being logged in the DNS log file. The log file only contains information regarding packets that had no errors. This confuses me, since it appears that dns-info.bro file contains information required for error code deciphering.

A closer look at the dns log file as given right now reveals that whenever there is a packet that contains an error, the parser simply stalls, and prints out the query as is, instead of deciphering the error code.

Any suggestions would be much appreciated, thank you very much,

Daniela

Quoting Vern Paxson <vern@icir.org>:

The problem is, even with the -C option, some packets that have error
codes such as "Server Failure" or "No Such Name Exists" are not being
logged in the DNS log file.

Ah - this rings a bell. I believe Seth has a fix for this problem (and
in general a reworked dns.bro), which would be great to incorporate into
the next Bro release. I'll let him comment further.

    Vern

I do have a dns-ext.bro script in my github repository. I even recently fixed it so that it's actually functional now! :slight_smile:

http://github.com/sethhall/bro_scripts/blob/master/dns-ext.bro

I don't know if this will correct the problem you're having or not, but it's worth a try.

It outputs logs like this in "full" mode...
ts orig_h orig_p resp_h resp_p proto query_type query_class query transaction_id ttl flags error replies
1232039460.39003 161.58.49.99 5654 128.146.1.7 53 udp A C_INTERNET ns1.net.ohio-state.edu bf08 3600 {} NOERROR 0 {128.146.48.7, 128.146.1.21, 128.146.1.7}
1232039460.39091 161.58.49.99 1968 128.146.1.7 53 udp A C_INTERNET ns2.net.ohio-state.edu e04e 3600 {} NOERROR 0 {128.146.48.7, 128.146.1.21, 128.146.1.7}
1232039460.87 66.148.163.50 21468 140.254.37.68 53 udp A C_INTERNET a744.g.akamai.net 2fd6 20 {} NOERROR 0 {72.246.30.81, 72.246.30.73}

and like this in "minimal" query-only mode...
ts orig_h query_type query
1232039460.39003 161.58.49.99 A ns1.net.ohio-state.edu
1232039460.39091 161.58.49.99 A ns2.net.ohio-state.edu
1232039460.87 66.148.163.50 A a744.g.akamai.net

   .Seth

Hi Seth, Vern,

Thanks very much, I'll try this code and let you know the outcome! Just out of curiosity though, is this considered a bug in the current release? Or is this something else?

Daniela

Quoting Seth Hall <hall.692@osu.edu>:

Hi Seth, Vern,

Just a quick question regarding the dns-ext.bro code you provided me with. What is global-ext? I tried running this code on my machine, and it gave me a "cannot find global-ext" error, I then commented out the line that loads this file, and the script worked.

Problem is, the output file after running this script without the "@load global-ext" line, is exactly the same as what I was getting before. I'm still not receiving the error codes that some of the response packets contain.

Thanks very much,

Daniela

Quoting Seth Hall <hall.692@osu.edu>:

Just out of curiosity though, is this considered a bug in the current
release? Or is this something else?

A bug. I don't think there's any plausible reason why such packets should
be skipped entirely; there's a flaw in the logic for processing them.

    Vern

Sorry I didn't explain that better. The scripts located at my github repository have several dependencies among them. You should probably just grab all of the scripts there and load the script you want. You also need to load the logging.dns-ext.bro script in order for dns-ext.bro to actually output any logs.

   .Seth