[ https://bro-tracker.atlassian.net/browse/BIT-1064?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pietro Delsante updated BIT-1064: --------------------------------- Attachment: nxdomain.pcap PCAP file containing a request and response of a nonexistent domain, the server is answering with RCODE=3 (NXDOMAIN). This happens both with my internal DNS server and with Google's 8.8.8.8. > DNS Analyzer does not correctly log NXDOMAIN answers > ---------------------------------------------------- > > Key: BIT-1064 > URL: https://bro-tracker.atlassian.net/browse/BIT-1064 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.1 > Environment: Bro 2.1 running on SecurityOnion 12.04-2 > Reporter: Pietro Delsante > Labels: dns, nxdomain > Attachments: nxdomain.pcap, nxdomain_pcap.png > > > Hi, I am running Bro 2.1 on Security Onion 12.04-2 updated to the latest > available packages. > It looks like Bro's DNS analyzer is not assigning the correct rcode and > rcode_name in the output log when the query is of type A and the server > answers with a rcode=3 (NXDOMAIN): instead, it puts a dash "-" in both > fields, like this: > {noformat} > 1377179281.104465|prGZzGRr1M4|192.168.X.Y|45406|8.8.8.8|53|udp|64928|www.this-domain-does-not-exist.it|1|C_INTERNET|1|A|-|-|F|F|T|F|0|-|- > {noformat} > that is, exploded: > {noformat} > ts: 1377179281.104465 > uid: prGZzGRr1M4 > id: 192.168.X.Y|45406|8.8.8.8|53 > proto: udp > trans_id: 64928 > query: www.this-domain-does-not-exist.it > qclass: 1 > qclass_name: C_INTERNET > qtype: 1 > qtype_name: A > rcode: - > rcode_name: - > AA: F > TC: F > RD: T > RA: F > Z: 0 > answers: - > TTLs: - > {noformat} > The only case in which I see those values set correctly (rcode: 3, > rcode_name: NXDOMAIN) is when Bro is logging a PTR query: > {noformat} > 1377079094.159646|XRRCSUItHlj|192.168.X.Y|39362|8.8.8.8|53|udp|54306|1.0.168.192.in-addr.arpa|1|C_INTERNET|12|PTR|3|NXDOMAIN|F|F|T|F|0|-|- > {noformat} > The attachment is a screenshot from a wireshark capture of the DNS query > showing that the server is actually answering with NXDOMAIN. > The only change I made to the default configuration was to enable the > extraction of executable files from HTTP and SMTP fluxes, so this should have > nothing to do with this issue. > Should you need any more info about my setup, please let me know. > Thanks, > Pietro -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev