Unexpected dns.log results on zeek 5.1

Hi there!
Recently I’ve been trying to upgrade from Zeek 3 to the latest Zeek 5 version.
When I look at the dns.log on both versions, Zeek 5 log is a bit smaller.
I noticed that version 5 is missing the lines where the answers field is unknown type=65 and unknown type=64. for some reason Zeek doesn’t show it on version 5

example of one of the missing lines:
fields:
ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,proto,trans_id,rtt,query,qclass,qclass_name,qtype,qtype_name,rcode,rcode_name,AA,TC,RD,RA,Z,answers,TTLs,rejected
values:
1.67413E+12,Ceo7KR1yJmyzdJMrQ8,192.168.10.1,60977,8.8.8.8,53,udp,38370,-,facebook.com,-,-,-,-,0,NOERROR,F,F,F,T,0,,300,F

Why Zeek 5 doesn’t show those lines in dns.log?

Hi,

I think parsing for types 64/65 were added after the Zeek version you were running - these should be SVBC/HTTPS query types. They should be logged.

If they are not logged as those types of queries - could you see if there is either a dpd.log entry for the connections, or an entry in weird.log, indicating something like:

“DNS_SVBC_wrong_length”

If you happen to have a pcap that exhibits this behaviour, you could also open a bug on Github, append the cap, and we will take a look.

I do find in weird.log many “DNS_Conn_count_too_large”
how does it affect dns.log?

DNS_Conn_count_too_large is raised when Zeek sees a DNS message that seems to have more than 25 queries in it. This is done to prevent the parsing of non-DNS-traffic on port 53, and the setting can be changed.

Traffic that hits this case is discarded and not further logged.

So - there is a chance that you either have weird DNS traffic with lots of queries, or that there is non-DNS-traffic on port 53. To decide which of the two it is, you probably have to look at the actual traffic in question. If you are able to share some packets that cause this, we should be able to tell you if this is DNS or non-DNS traffic.