Skip to content

Commit

Permalink
Merge pull request #643 from McStork/cherry1.1-dns-tcp
Browse files Browse the repository at this point in the history
Backport - DNS over TCP clean-up and improvements
  • Loading branch information
andrewkroh committed Jan 7, 2016
2 parents d52029e + 511c224 commit 8f15afd
Show file tree
Hide file tree
Showing 10 changed files with 1,537 additions and 1,220 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ https://github.com/elastic/beats/compare/1.0.0...master[Check the HEAD diff]
- Make logstash output compression level configurable. {pull}630[630]

*Packetbeat*
- Add support for capturing DNS over TCP network traffic. {pull}486[486] {pull}554[554]

*Topbeat*
- Group all cpu usage per core statistics and export them optionally if cpu_per_core is configured {pull}496[496]
Expand Down
43 changes: 43 additions & 0 deletions packetbeat/protos/dns/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
#### UDP

**Parsing**

1. Attempt to decode each UDP packet.
2. If it succeeds, a transaction is sent.

**Error management**
* Debug information is printed if:
* A packet fails to decode.

* Error Notes are published if:
* Never

#### TCP

**Parsing**

1. Fetch the first two bytes of a message containing the length of the message ([RFC 1035](https://www.ietf.org/rfc/rfc1035.txt)).
2. Fill the buffer ```DnsStream.rawData``` with each new ```Parse```.
3. Once the buffer has the expected length (first two bytes), it is decoded and the message is published.

**Error management**
* Debug information is printed if:
* A message has an unexpected length at any point of the transmission (```Parse```, ```GapInStream```, ```ReceivedFin```).
* A message fails to decode.

* Error Notes are published if:
* A response following a request (```dnsConnectionData.prevRequest```) fails to decode.
* A response following a request (```dnsConnectionData.prevRequest```) has an unexpected length at any point of the transmission (```Parse```, ```GapInStream```, ```ReceivedFin```).

When response error Notes are linked to the previous request, the transaction is then published and removed from the cache (see ```publishResponseError()```).

#### TODO

**General**
* Publish an event with Notes when a Query or a lone Response cannot be decoded.
* Add EDNS and DNSSEC support (consider using miekg/dns instead
of gopacket).
* Consider adding ICMP support to
- correlate ICMP type 3, code 4 (datagram too big) with DNS messages,
- correlate ICMP type 3, code 13 (administratively prohibited) or
ICMP type 3, code 3 (port unreachable) with blocked DNS messages.
Loading

0 comments on commit 8f15afd

Please sign in to comment.