You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It appears that the Recursor protobuf implementation only includes a DNSRR message if the RR type is A, AAAA, or CNAME. For those of us wanting to log the answers received for TXT, NS, PTR, and SOA (and other non-A/AAAA/CNAME RRs), we are unable to get this information.
Environment
Operating system: CentOS 7.4.1708
Software version: Recursor 4.0.7
Software source: PowerDNS CentOS repo
Steps to reproduce
Configure pdns_recursor to output protobuf (we use protobufServer("127.0.0.1:5454", 2, 100, 1, 32, 128) to send the data to a sidecar Go binary that parses protobuf.
Parse PBDNSMessage, DNSResponse inside of that, and attempt to extract data from DNSRR for non-A/AAAA/CNAME types.
Observe NULL data for non-A/AAAA/CNAME types.
Expected behaviour
The nested data in PBDNSMessage{ DNSResponse{ DNSRR {...} } } should be accessible/non-null, as A/AAAA/CNAME are. For A/AAAA/CNAMEs, our sidecar protobuf parser emits the following JSON:
As you can see, the answer and type keys are empty/null/nil in the response because there is no data in the DNSRR message (where these elements come from: PBDNSMessage{ DNSResponse{ DNSRR {type and Rdata} } }. The type and class in the query is non-empty/null/nil because we get that from PBDNSMessage{ DNSQuestion { qType and qClass }}.
Other information
Being able to access string data for records like TXT, NS, PTR, SOA, MX, SPF, and SRV would be beneficial to trace the majority of query responses.
Usecase
We are recording query/answer information at the recursor for analysis/forensics in case of malware using DNS for C&C. As such, the answers for RR TYPEs like TXT are extremely advantageous to have.
Description
The software should provide a DNSRR message for all valid responses. Popular and lower-hanging fruit include types mentioned above (TXT, NS, PTR, SOA, MX, SPF, and SRV). Some may have use cases for DNSSEC TYPEs.
The text was updated successfully, but these errors were encountered:
Short description
It appears that the Recursor protobuf implementation only includes a
DNSRR
message if the RR type is A, AAAA, or CNAME. For those of us wanting to log the answers received for TXT, NS, PTR, and SOA (and other non-A/AAAA/CNAME RRs), we are unable to get this information.Environment
Steps to reproduce
protobufServer("127.0.0.1:5454", 2, 100, 1, 32, 128)
to send the data to a sidecar Go binary that parses protobuf.PBDNSMessage
,DNSResponse
inside of that, and attempt to extract data fromDNSRR
for non-A/AAAA/CNAME types.NULL
data for non-A/AAAA/CNAME types.Expected behaviour
The nested data in
PBDNSMessage{ DNSResponse{ DNSRR {...} } }
should be accessible/non-null, as A/AAAA/CNAME are. For A/AAAA/CNAMEs, our sidecar protobuf parser emits the following JSON:Actual behaviour
The data in the
DNSRR
message does not exist, likely due toin rec-protobuf.cc here. As such, our sidecar protobuf parser emits the following:
As you can see, the
answer
andtype
keys are empty/null/nil in the response because there is no data in theDNSRR
message (where these elements come from:PBDNSMessage{ DNSResponse{ DNSRR {type and Rdata} } }
. Thetype
andclass
in the query is non-empty/null/nil because we get that fromPBDNSMessage{ DNSQuestion { qType and qClass }}
.Other information
Being able to access string data for records like TXT, NS, PTR, SOA, MX, SPF, and SRV would be beneficial to trace the majority of query responses.
Usecase
We are recording query/answer information at the recursor for analysis/forensics in case of malware using DNS for C&C. As such, the answers for RR TYPEs like TXT are extremely advantageous to have.
Description
The software should provide a
DNSRR
message for all valid responses. Popular and lower-hanging fruit include types mentioned above (TXT, NS, PTR, SOA, MX, SPF, and SRV). Some may have use cases for DNSSEC TYPEs.The text was updated successfully, but these errors were encountered: