Mirrored DNS traffic appear as "failed"

[lmarl]

Hello,

When sending mirrored traffic to passiveDNS it is not able to decode it. All DNS UDP requests appear as "failed". However if I try with normal (non mirrored) traffic in the same machine and the same compilation, it works fine. You can find next an example (traffic in enp4s0 is mirrored traffic and traffic enp3s0 is my usual network interface):

root@srv-cash:/opt/passivedns/src# cat /dev/null > /var/log/passivedns.log
root@srv-cash:/opt/passivedns/src# ./passivedns -i enp4s0 # MIRRORED TRAFFIC

[] PassiveDNS 1.2.1
[] By Edward Bjarte Fjellskål [email protected]
[] Using libpcap version 1.7.4
[] Using ldns version 1.6.17
[] Device: enp4s0
[] Sniffing...

^C
-- Total DNS records allocated : 0
-- Total DNS assets allocated : 0
-- Total DNS packets over IPv4/TCP : 1
-- Total DNS packets over IPv6/TCP : 0
-- Total DNS packets over TCP decoded : 0
-- Total DNS packets over TCP failed : 1
-- Total DNS packets over IPv4/UDP : 317
-- Total DNS packets over IPv6/UDP : 0
-- Total DNS packets over UDP decoded : 0
-- Total DNS packets over UDP failed : 317
-- Total packets received from libpcap : 373
-- Total Ethernet packets received : 373
-- Total VLAN packets received : 373

[*] passivedns ended.
root@srv-cash:/opt/passivedns/src# cat /var/log/passivedns.log

####EMPTY#####

root@srv-cash:/opt/passivedns/src# ./passivedns -i enp3s0 # NORMAL TRAFFIC

[] PassiveDNS 1.2.1
[] By Edward Bjarte Fjellskål [email protected]
[] Using libpcap version 1.7.4
[] Using ldns version 1.6.17
[] Device: enp3s0
[] Sniffing...

^C
-- Total DNS records allocated : 8
-- Total DNS assets allocated : 9
-- Total DNS packets over IPv4/TCP : 0
-- Total DNS packets over IPv6/TCP : 0
-- Total DNS packets over TCP decoded : 0
-- Total DNS packets over TCP failed : 0
-- Total DNS packets over IPv4/UDP : 10
-- Total DNS packets over IPv6/UDP : 0
-- Total DNS packets over UDP decoded : 7
-- Total DNS packets over UDP failed : 3
-- Total packets received from libpcap : 20
-- Total Ethernet packets received : 20
-- Total VLAN packets received : 20

[*] passivedns ended.
root@srv-cash:/opt/passivedns/src# cat /var/log/passivedns.log
1530541289.416854||10.5.2.43||10.5.4.4||IN||www.github.com.||CNAME||github.com.||3600||1
1530541289.416854||10.5.2.43||10.5.4.4||IN||github.com.||A||192.30.253.112||60||1
1530541289.416854||10.5.2.43||10.5.4.4||IN||github.com.||A||192.30.253.113||60||1
1530541289.585482||10.5.2.43||10.5.4.4||IN||112.253.30.192.in-addr.arpa.||PTR||lb-192-30-253-112-iad.github.com.||3600||1
1530541300.649830||10.5.2.43||10.5.4.4||IN||www.amazon.co.uk.||CNAME||www.cdn.amazon.co.uk.||1800||1
1530541300.649830||10.5.2.43||10.5.4.4||IN||www.cdn.amazon.co.uk.||CNAME||www.amazon.co.uk.edgekey.net.||60||1
1530541300.649830||10.5.2.43||10.5.4.4||IN||www.amazon.co.uk.edgekey.net.||CNAME||e15314.ci.akamaiedge.net.||300||1
1530541300.649830||10.5.2.43||10.5.4.4||IN||e15314.ci.akamaiedge.net.||A||23.60.210.226||20||1
1530541301.310547||10.5.2.43||10.5.4.4||IN||226.210.60.23.in-addr.arpa.||PTR||a23-60-210-226.deploy.static.akamaitechnologies.com.||43200||1

Do you know what could be happening?

[lmarl]

Trying with a pcap captured with mirrores traffic it does not show any DNS request (and they are there...)

root@srv-cash:/opt/passivedns# tcpdump -i enp4s0 port 53 -w p53.pcap
tcpdump: listening on enp4s0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C5 packets captured
7 packets received by filter
0 packets dropped by kernel

root@srv-cash:/opt/passivedns# ./src/passivedns -r p53.pcap

[] PassiveDNS 1.2.1
[] By Edward Bjarte Fjellskål [email protected]
[] Using libpcap version 1.7.4
[] Using ldns version 1.6.17
[*] Reading from file p53.pcap

-- Total DNS records allocated : 0
-- Total DNS assets allocated : 0
-- Total DNS packets over IPv4/TCP : 0
-- Total DNS packets over IPv6/TCP : 0
-- Total DNS packets over TCP decoded : 0
-- Total DNS packets over TCP failed : 0
-- Total DNS packets over IPv4/UDP : 0
-- Total DNS packets over IPv6/UDP : 0
-- Total DNS packets over UDP decoded : 0
-- Total DNS packets over UDP failed : 0
-- Total packets received from libpcap : 0
-- Total Ethernet packets received : 0
-- Total VLAN packets received : 0

[*] passivedns ended.

tcpdump shows the DNS traffic:

root@srv-cash:/opt/passivedns# tcpdump -qns 0 -A -r p53.pcap
reading from file p53.pcap, link-type EN10MB (Ethernet)
16:40:49.798342 IP 216.239.38.10.53 > 185.179.104.4.22468: UDP, length 72
E..d..........&
..h..5W..P...............pagead46.l.doubleclick.net..............,....P@......... .
16:40:49.827420 IP 216.239.38.10.53 > 185.179.104.4.34051: UDP, length 72
E..d.......)..&
..h..5...P.VPD...........pagead46.l.doubleclick.net..............,....P@......... .
16:40:51.385650 IP 95.101.181.181.53 > 185.179.104.4.27413: UDP, length 80
E..l,,..7. ._e....h..5k..X...............a802.w23.akamai.net.......................................)........
16:40:51.415684 IP 95.101.181.181.53 > 185.179.104.4.8662: UDP, length 80
E..l....7.f._e....h..5!..X.R.............a802.w23.akamai.net.......................................)........
root@srv-cash:/opt/passivedns#

Any idea?

[lmarl]

I attach
p53.zip

the pcap file with the 3/4 DNS requests showed in my previous post.

Please let me know if there's a solution for this.

Thank you!

[gamelinux]

The p53.pcap does not contain any valid Query+Answers.
I see one query, and 4 answers, non from the same DNS "session".

Make sure you see the client query AND the server answer to that query...

202.144.91.179.21098 > 185.179.104.4.53: (Query)
185.179.104.4.53 > 202.144.91.179.21098: (You are missing the Answer... this packet is not in the pcap)

E

[lmarl]

OK, I finally fixed (temporarily) the problem by commenting out the "Check the DNS TID" section in dns.c:

    //if ((pi->cxt->plid == ldns_pkt_id(dns_pkt))) {
    //    dlog("[D] DNS Query TID match Answer TID: %d\n", pi->cxt->plid);
    //}
    //else {
    //    dlog("[D] DNS Query TID did not match Answer TID: %d != %d - Skipping!\n",
    //         pi->cxt->plid, ldns_pkt_id(dns_pkt));
    //    ldns_pkt_free(dns_pkt);
    //    update_dns_stats(pi,ERROR);
    //    return;
   // }

Now it seems to be parsing the DNS queries... Te problem was that pi->cxt->plid was always 0, what is that value?

Yep, the p53.dns pcap I included is too short (I realized later), however with a longer pcap the problem persisted.

Thank you for your help!

[gamelinux]

pi->cxt->plid should be the transaction identifier (TXID) recorded from the "Query" packet.
The check is to see if the "Answer" packet has the same transaction ID (it should have).

[lmarl]

I can see (with wireshark) that both DNS request and reply packets include their Transaction ID. However the pi->cxt->plid value seem to be always 0. I can send you another (longer) PCAP if you want.

Rgds

[gamelinux]

I dont need a longer pcap. I do would like to just have a pcap with One query, and its answer :)

carve one out, something like: tcpdump -r long.pcap -w one.pcap 'udp and host x.y.z.n and port nnnn and host a.b.c.d and port 53'

All I would need is two packets... the query, and the answer.... (they should have the same TID)

E

[gamelinux]

How is this going?

[45hur]

Same issue as lmarl.

[passivedns.c:472(connection_tracking)] [D] Context check = 0, hash = 56847.
[passivedns.c:522(connection_tracking)] [D] New connection, hash = 56847.
[passivedns.c:422(parse_udp)] [D] Parsing UDP packet...
[dns.c:117(dns_parser)] [D] DNS Answer without a Question total=[1]?: Query TID = 0 and Answer TID = 9259

        dlog("[D] DNS Answer without a Question total=[%d]?: Query TID = %x and Answer TID = %x\n",
        (int)pi->cxt->s_total_pkts, pi->cxt->plid, ldns_pkt_id(dns_pkt));

I'd say commenting out that check is dirty, it suits the purpose.

[45hur]

patched.zip