Handle Google DNS SERVFAIL correctly in Quad9 detector

[ManaswibRane]

Handle Google DNS SERVFAIL correctly in Quad9 detector. Closes #3191

Description

This PR fixes incorrect handling of Google DNS SERVFAIL (Status = 2) in the
Quad9 malicious domain detector.

Previously, when Quad9 returned no answers and Google returned SERVFAIL,
the analyzer treated the domain as non-malicious (NXDOMAIN-like behavior).
SERVFAIL means the result is inconclusive (DNS server error, DNSSEC failure,
or backend issue) and must not be treated as a valid negative.

This change introduces explicit handling of SERVFAIL:

• Google Status=2 now returns an inconclusive result
• The analyzer reports malicious=False with a note explaining the DNS failure

This prevents false negatives when Google DNS is temporarily failing.

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue).

Checklist

• I have read and understood the rules about how to Contribute to this project
• The pull request is for the branch develop
• A new plugin (analyzer, connector, visualizer, playbook, pivot or ingestor) was added or changed, in which case:
  • I strictly followed the documentation "How to create a Plugin"
  • Usage file was updated. A link to the PR to the docs repo has been added as a comment here.
  • Advanced-Usage was updated (in case the plugin provides additional optional configuration). A link to the PR to the docs repo has been added as a comment here.
  • I have dumped the configuration from Django Admin using the dumpplugin command and added it in the project as a data migration. ("How to share a plugin with the community")
  • If a File analyzer was added and it supports a mimetype which is not already supported, you added a sample of that type inside the archive test_files.zip and you added the default tests for that mimetype in test_classes.py.
  • If you created a new analyzer and it is free (does not require any API key), please add it in the FREE_TO_USE_ANALYZERS playbook by following this guide.
  • Check if it could make sense to add that analyzer/connector to other freely available playbooks.
  • I have provided the resulting raw JSON of a finished analysis and a screenshot of the results.
  • If the plugin interacts with an external service, I have created an attribute called precisely url that contains this information. This is required for Health Checks (HEAD HTTP requests).
  • If a new analyzer has beed added, I have created a unittest for it in the appropriate dir. I have also mocked all the external calls, so that no real calls are being made while testing.
  • I have added that raw JSON sample to the get_mocker_response() method of the unittest class. This serves us to provide a valid sample for testing.
  • I have created the corresponding DataModel for the new analyzer following the documentation
• I have inserted the copyright banner at the start of the file: # This file is a part of IntelOwl https://github.com/intelowlproject/IntelOwl # See the file 'LICENSE' for copying permission.
• Please avoid adding new libraries as requirements whenever it is possible. Use new libraries only if strictly needed to solve the issue you are working for. In case of doubt, ask a maintainer permission to use a specific library.
• If external libraries/packages with restrictive licenses were added, they were added in the Legal Notice section.
• Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
• I have added tests for the feature/bug I solved (see tests folder). All the tests (new and old ones) gave 0 errors.
• If the GUI has been modified:
  • I have a provided a screenshot of the result in the PR.
  • I have created new frontend tests for the new component or updated existing ones.
• After you had submitted the PR, if DeepSource, Django Doctors or other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.

Important Rules

• If you miss to compile the Checklist properly, your PR won't be reviewed by the maintainers.
• Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review by using GitHub's reviewing system detailed here.

[ManaswibRane]

This scenario is not deterministically reproducible.Therefore, a stable automated test cannot be written.
The best way to handle it instead of changing the whole return type I returned None and added a check .Please let me know if any changes are required. Thanks !
Here's an example snippet of the response from the documentation.

{
  "Status": 2,  // SERVFAIL - Standard DNS response code (32 bit integer).
  "TC": false,  // Whether the response is truncated
  "RD": true,   // Always true for Google Public DNS
  "RA": true,   // Always true for Google Public DNS
  "AD": false,  // Whether all response data was validated with DNSSEC
  "CD": false,  // Whether the client asked to disable DNSSEC
  "Question":
  [
    {
      "name": "dnssec-failed.org.",  // FQDN with trailing dot
      "type": 1                      // A - Standard DNS RR type
    }
  ],
  "Comment": "DNSSEC validation failure. Please check http://dnsviz.net/d/dnssec-failed.org/dnssec/."
}

The analyzer was verified by forcing Google DNS Status to 2 in the analyzer and confirming that:

• The result is now reported as inconclusive
• It is no longer treated as non-malicious

[mlodic]

DNS

[mlodic]

use walrus operator

[ManaswibRane]

flake gave error status unused so I instead did this

data = google_response.json()
        # the DNS server encountered an internal error
        if data.get("Status") == 2:
            return None

[mlodic]

you have to populate the predefined "errors" key in the final report of the analyzer isntead of this. Also, you should add a log warning message.

[mlodic]

also add a wanring message and add the error in the "errors" key

[ManaswibRane]

done

 if google_answer is None:
                logger.warning(
                    f"Inconclusive result for {observable}: Google DNS SERVFAIL (Status 2)"
                )
                self.report.errors.append("inconclusive (google dns servfail)")

[ManaswibRane]

Hello @mlodic ,
I have implemented the requested changes. Please let me know if any further modifications are needed.
Apologies for the multiple commits.
Thank you.
For code consistency I have taking example of this in api_app/mixins.py

            logger.error(error_message)
            self.report.errors.append(error_message)

[mlodic]

thanks, last step please new screenshot of a new analysis to confirm the changes

[ManaswibRane]

Hello @mlodic ,
Here’s the screenshot. Thanks !