Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fails to parse long qname #109

Closed
stirnim opened this issue Jun 1, 2022 · 1 comment · Fixed by #110
Closed

fails to parse long qname #109

stirnim opened this issue Jun 1, 2022 · 1 comment · Fixed by #110

Comments

@stirnim
Copy link
Contributor

stirnim commented Jun 1, 2022
edited

I have a pcap with DNS queries with long query names e.g.

tcpdump -n -r 20220529-flubot.pcap 
reading from file 20220529-flubot.pcap, link-type RAW (Raw IP)
08:05:04.923167 IP 47.106.97.183.15762 > 130.59.31.29.domain: 27974% [1au] TXT? f6aab6c3.0.0.im2tqm2bgeytancghfctiojqhbateobsguydmnbqgqydanjwgy3camtbgaydumr.qhjrdamjzhizdanryhjrdazrqhjswcnr2gnsgmyj2mq3tambaaeabjzpvymdk7d.4f4l474gvrbqshflfb237fgows7l5yeej5cfjcb3t25dxbba5y5qoi5pgyipmtp.7ntttufqzo2banz3rrdcsj.mpeepfvopjmjlwe.site. (277)
08:05:06.935222 IP 162.158.250.140.15441 > 130.59.31.29.domain: 60899 [1au] TXT? bccb371f.0.0.HBBTGMBXII3TQNBXGU2DIRJZIJATOOBTGFATERKDIU4TCOJSG44CAOBYFYZDGMB.OGQZC4MJTGQQACADPS3YJTW67RIBNQ6HGRXMPMXFTRSFK7RIOSGU2XFAJU2TXVR.3JRNXIO77WIB5I7XNNZQ4SENL6ZUBQJJVWVVPFVUSGHSV5UOBKMMACXOJBYAB5G.TPENJACHDDI625R6T34C54.mpeepfvopjmjlwe.site. (277)

packetq fails to parse the qname since version 1.7.0 (it works in 1.6.0)

packetq -c -s "select * from dns" 20220529-flubot.pcap 
"id","s","us","ether_type","src_port","dst_port","src_addr","dst_addr","protocol","ip_ttl","ip_version","fragments","qname","aname","msg_id","msg_size","opcode","rcode","extended_rcode","edns_version","z","udp_size","qd_count","an_count","ns_count","ar_count","qtype","qclass","qlabels","atype","aclass","attl","alabels","aa","tc","rd","cd","ra","ad","do","edns0","qr","edns0_ecs","edns0_ecs_family","edns0_ecs_source","edns0_ecs_scope","edns0_ecs_address"
1,1653804304,923167,2048,15762,53,"47.106.97.183","130.59.31.29",17,45,4,0,"mpeepfvopjmjlwe.site.","",27974,277,0,0,0,0,0,4096,1,0,0,1,16,1,9,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,""
2,1653804306,935222,2048,15441,53,"162.158.250.140","130.59.31.29",17,45,4,0,"mpeepfvopjmjlwe.site.","",60899,277,0,0,0,0,0,1452,1,0,0,1,16,1,9,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,""

It's interesting to note, that the qlabels count is correct though.

As I cannot attach the PCAP file, I converted it to hex characters using xxd -ps -c 20 20220529-flubot.pcap and added the output to CyberChef where you can downlaod the PCAP by pressing the save button in the "output" section to save the pcap file:

https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')&input=ZD...
@stirnim
Copy link
Contributor Author

stirnim commented Jun 1, 2022

Changing the number from 512 to 8192 in the following code line fixes the problem:
https://github.com/DNS-OARC/PacketQ/blob/develop/src/dns.h#L115

But I'm not very familiar with how 512 needs to be interpreted in the code. This is just an observation.

jelu added a commit to jelu/PacketQ that referenced this issue Jun 2, 2022
@jelu
FQDN parsing
3379fde 
- Fix DNS-OARC#109: Need 4 times the buffer due to possible escaping
@jelu jelu mentioned this issue Jun 2, 2022
Merged
jelu added a commit to jelu/PacketQ that referenced this issue Jun 2, 2022
@jelu
FQDN parsing
4ec95e7 
- Fix DNS-OARC#109: Need 4 times the buffer due to possible escaping
@jelu jelu closed this as completed in #110 Jun 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

FQDN parsing jelu/PacketQ
1 participant
@stirnim