From 26ada4b8973303824152e867da03d4393f6402b7 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Thu, 4 Sep 2025 12:46:41 -0700 Subject: [PATCH 1/5] Support DNS Dynamic Update messages in DNS analyzer --- src/analyzer/protocol/dns/DNS.cc | 125 ++++++++++++++++++++++++------- src/analyzer/protocol/dns/DNS.h | 59 +++++++++------ 2 files changed, 135 insertions(+), 49 deletions(-) diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 027c568550..9591b9260a 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -74,13 +74,13 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) { auto opcode = static_cast((flags & 0x7800) >> 11); // NetBIOS registration and release messages look like regular DNS requests, so parse them as such - if ( opcode != DNS_OP_QUERY && ! is_netbios ) { + if ( opcode != DNS_OP_QUERY && opcode != DNS_OP_DYNAMIC_UPDATE && ! is_netbios ) { analyzer->Weird("DNS_unknown_opcode", util::fmt("%d", opcode)); analyzer->Conn()->CheckHistory(zeek::session::detail::HIST_UNKNOWN_PKT, 'X'); return; } - detail::DNS_MsgInfo msg(hdr, is_query); + detail::DNS_MsgInfo msg(hdr, is_query, is_netbios); if ( first_message && msg.QR && is_query == 1 ) { is_query = 0; @@ -98,7 +98,7 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) { // There is a great deal of non-DNS traffic that runs on port 53. // This should weed out most of it. - if ( zeek::detail::dns_max_queries > 0 && msg.qdcount > zeek::detail::dns_max_queries ) { + if ( zeek::detail::dns_max_queries > 0 && msg.qd_zo_count > zeek::detail::dns_max_queries ) { analyzer->AnalyzerViolation("DNS_Conn_count_too_large"); analyzer->Weird("DNS_Conn_count_too_large"); EndMessage(&msg); @@ -110,26 +110,64 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) { data += hdr_len; len -= hdr_len; - if ( ! ParseQuestions(&msg, data, len, msg_start) ) { - EndMessage(&msg); - return; - } + if ( msg.is_dynamic_update ) { + if ( msg.qd_zo_count != 1 ) { + // dynamic update events should only have a single zone in them. + analyzer->Weird("DNS_DU_invalid_zone_count", util::fmt("%d", msg.qd_zo_count)); + EndMessage(&msg); + return; + } - if ( ! ParseAnswers(&msg, msg.ancount, detail::DNS_ANSWER, data, len, msg_start) ) { - EndMessage(&msg); - return; + // Dynamic update looks like this: + // 1. A single "zone" that is just the first three fields of an SOA RR. It's + // required to be an SOA, so a weird is returned if not. + // 2. Zero or more "prerequisite" RRs that are required to be true in the zone + // before updates take place. + // 3. Zero or more "update" RRs that are the updates to be made to the zone. + // 4. Zero or more "additional" RRs that are unrelated to the updates. These are + // handled same to the other additional RRs with other op codes. + if ( ! ParseAnswerHeader(&msg, data, len, msg_start) ) { + EndMessage(&msg); + return; + } + + if ( msg.atype != detail::TYPE_SOA ) { + analyzer->Weird("DNS_DU_incorrect_zone_type"); + return; + } + + if ( ! ParseAnswers(&msg, msg.an_pr_count, detail::DNS_PREREQUISITES, data, len, msg_start) ) { + EndMessage(&msg); + return; + } + + if ( ! ParseAnswers(&msg, msg.ns_up_count, detail::DNS_UPDATES, data, len, msg_start) ) { + EndMessage(&msg); + return; + } + } + else { + if ( ! ParseQuestions(&msg, data, len, msg_start) ) { + EndMessage(&msg); + return; + } + + if ( ! ParseAnswers(&msg, msg.an_pr_count, detail::DNS_ANSWER, data, len, msg_start) ) { + EndMessage(&msg); + return; + } } analyzer->AnalyzerConfirmation(); bool skip_auth = (zeek::detail::dns_skip_all_auth != 0); bool skip_addl = (zeek::detail::dns_skip_all_addl != 0); - if ( msg.ancount > 0 ) { // We did an answer, so can potentially skip auth/addl. + if ( msg.an_pr_count > 0 ) { // We did an answer, so can potentially skip auth/addl. static auto dns_skip_auth = id::find_val("dns_skip_auth"); static auto dns_skip_addl = id::find_val("dns_skip_addl"); auto server = make_intrusive(analyzer->Conn()->RespAddr()); - skip_auth = skip_auth || msg.nscount == 0 || dns_skip_auth->FindOrDefault(server); + skip_auth = skip_auth || msg.ns_up_count == 0 || dns_skip_auth->FindOrDefault(server); skip_addl = skip_addl || msg.arcount == 0 || dns_skip_addl->FindOrDefault(server); } @@ -139,10 +177,13 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) { return; } - msg.skip_event = skip_auth; - if ( ! ParseAnswers(&msg, msg.nscount, detail::DNS_AUTHORITY, data, len, msg_start) ) { - EndMessage(&msg); - return; + // Dynamic update doesn't have an authority section. + if ( ! msg.is_dynamic_update ) { + msg.skip_event = skip_auth; + if ( ! ParseAnswers(&msg, msg.ns_up_count, detail::DNS_AUTHORITY, data, len, msg_start) ) { + EndMessage(&msg); + return; + } } if ( skip_addl ) { @@ -166,7 +207,7 @@ void DNS_Interpreter::EndMessage(detail::DNS_MsgInfo* msg) { } bool DNS_Interpreter::ParseQuestions(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start) { - int n = msg->qdcount; + int n = msg->qd_zo_count; while ( n > 0 && ParseQuestion(msg, data, len, msg_start) ) --n; @@ -201,7 +242,7 @@ bool DNS_Interpreter::ParseQuestion(detail::DNS_MsgInfo* msg, const u_char*& dat if ( msg->QR == 0 ) dns_event = dns_request; - else if ( msg->QR == 1 && msg->ancount == 0 && msg->nscount == 0 && msg->arcount == 0 ) + else if ( msg->QR == 1 && msg->an_pr_count == 0 && msg->ns_up_count == 0 && msg->arcount == 0 ) // Service rejected in some fashion, and it won't be reported // via a returned RR because there aren't any. dns_event = dns_rejected; @@ -229,7 +270,8 @@ bool DNS_Interpreter::ParseQuestion(detail::DNS_MsgInfo* msg, const u_char*& dat return true; } -bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start) { +bool DNS_Interpreter::ParseAnswerHeader(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, + const u_char* msg_start) { u_char name[513]; int name_len = sizeof(name) - 1; @@ -249,6 +291,14 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, msg->query_name = make_intrusive(new String(name, name_end - name, true)); msg->atype = static_cast(ExtractShort(data, len)); msg->aclass = ExtractShort(data, len); + + return true; +} + +bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start) { + if ( ! ParseAnswerHeader(msg, data, len, msg_start) ) + return false; + msg->ttl = ExtractLong(data, len); auto rdlength = ExtractShort(data, len); @@ -256,7 +306,24 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, analyzer->Weird("DNS_truncated_RR_rdlength_lt_len"); return false; } - else if ( rdlength == 0 && len > 0 ) { + + if ( msg->is_dynamic_update ) { + // Read length and ttl can both be zero for dynamic updates, but only if the class is ANY or NONE. + if ( rdlength == 0 && msg->aclass != DNS_CLASS_ANY && msg->aclass != DNS_CLASS_NONE ) { + analyzer->Weird("DNS_zero_rdlength_update"); + return false; + } + else if ( msg->ttl == 0 && msg->aclass != DNS_CLASS_ANY && msg->aclass != DNS_CLASS_NONE ) { + analyzer->Weird("DNS_zero_ttl_update"); + return false; + } + } + + if ( rdlength == 0 && len > 0 ) { + if ( msg->is_dynamic_update ) + // See above for when this isn't allowed. + return true; + analyzer->Weird("DNS_zero_rdlength"); return false; } @@ -392,6 +459,7 @@ bool DNS_Interpreter::ExtractLabel(const u_char*& data, int& len, u_char*& name, // Found terminating label. return false; + // If the label length is 0xc0, this is a pointer to another spot in the packet data. if ( (label_len & 0xc0) == 0xc0 ) { auto offset = (label_len & ~0xc0) << 8; @@ -422,6 +490,7 @@ bool DNS_Interpreter::ExtractLabel(const u_char*& data, int& len, u_char*& name, name_len -= name_end - name; name = name_end; + // Returning false here causes the loop in ExtractName to exit. return false; } @@ -1789,7 +1858,8 @@ void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHand val_mgr->Count(qtype), val_mgr->Count(qclass), make_intrusive(original_name)); } -DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool arg_is_query) : is_query(arg_is_query) { +DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool arg_is_query, bool arg_is_netbios) + : is_query(arg_is_query), is_netbios(arg_is_netbios) { // ### Need to fix alignment if hdr is misaligned (not on a short boundary). uint16_t flags = ntohs(hdr->flags); @@ -1804,12 +1874,13 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool arg_is_query) : is_query(arg_i CD = (flags & 0x0010) >> 4; rcode = (flags & 0x000f); - qdcount = ntohs(hdr->qdcount); - ancount = ntohs(hdr->ancount); - nscount = ntohs(hdr->nscount); + qd_zo_count = ntohs(hdr->qd_zo_count); + an_pr_count = ntohs(hdr->an_pr_count); + ns_up_count = ntohs(hdr->ns_up_count); arcount = ntohs(hdr->arcount); id = ntohs(hdr->id); + is_dynamic_update = (opcode == DNS_OP_DYNAMIC_UPDATE && ! is_netbios); } RecordValPtr DNS_MsgInfo::BuildHdrVal() { @@ -1827,9 +1898,9 @@ RecordValPtr DNS_MsgInfo::BuildHdrVal() { r->Assign(8, Z); r->Assign(9, static_cast(AD)); r->Assign(10, static_cast(CD)); - r->Assign(11, qdcount); - r->Assign(12, ancount); - r->Assign(13, nscount); + r->Assign(11, qd_zo_count); + r->Assign(12, an_pr_count); + r->Assign(13, ns_up_count); r->Assign(14, arcount); return r; diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index 27da813cfc..d0921fe6c7 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -15,6 +15,10 @@ enum DNS_Opcode : uint8_t { // DNS_OP_SERVER_STATUS = 3, ///< server status request DNS_OP_SERVER_STATUS = 2, ///< server status request + DNS_OP_NOTIFY = 4, ///< RFC 1996 + DNS_OP_DYNAMIC_UPDATE = 5, ///< RFC 2136 + DNS_OP_DSO = 6, ///< RFC 8490 + // Netbios operations (query = 0). NETBIOS_REGISTRATION = 5, NETBIOS_RELEASE = 6, @@ -29,6 +33,11 @@ enum DNS_Code : uint16_t { DNS_CODE_NAME_ERR = 3, ///< no such domain DNS_CODE_NOT_IMPL = 4, ///< not implemented DNS_CODE_REFUSED = 5, ///< refused + DNS_CODE_YXDOMAIN = 6, ///< name exists when it should not (RFC 2136) + DNS_CODE_YXRRSET = 7, ///< rr set exists when it should not (RFC 2136) + DNS_CODE_NXRRSET = 8, ///< rr set that should exist does not (RFC 2136) + DNS_CODE_NOTAUTH = 9, ///< server not authoritative for zone (RFC 2136), or not authorized (RFC 8945) + DNS_CODE_NOT_ZONE = 10, ///< name not contained in zone (RFC 2136) DNS_CODE_RESERVED = 65535, ///< Force clang-tidy to accept this enum being 16 bits }; @@ -83,6 +92,7 @@ enum RR_Type : uint16_t { enum DNS_Class : uint16_t { DNS_CLASS_IN = 1, + DNS_CLASS_NONE = 254, ///< RFC2136 DNS_CLASS_ANY = 255, DNS_CLASS_RESERVED = 65535, ///< Force clang-tidy to accept this enum being 16 bits }; @@ -92,6 +102,8 @@ enum DNS_AnswerType : uint8_t { DNS_ANSWER, DNS_AUTHORITY, DNS_ADDITIONAL, + DNS_PREREQUISITES, + DNS_UPDATES, }; // https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml @@ -162,9 +174,9 @@ enum SVCPARAM_Key : uint8_t { struct DNS_RawMsgHdr { uint16_t id; uint16_t flags; - uint16_t qdcount; - uint16_t ancount; - uint16_t nscount; + uint16_t qd_zo_count; + uint16_t an_pr_count; + uint16_t ns_up_count; uint16_t arcount; }; @@ -282,9 +294,9 @@ struct SVCB_DATA { VectorValPtr svc_params; }; -class DNS_MsgInfo { +class DNS_MsgInfo final { public: - DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool is_query); + DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool is_query, bool is_netbios); RecordValPtr BuildHdrVal(); RecordValPtr BuildAnswerVal(); @@ -304,22 +316,24 @@ public: RecordValPtr BuildSVCB_Val(const struct SVCB_DATA&); uint16_t id; - uint8_t opcode; ///< query type, see DNS_Opcode - uint16_t rcode; ///< return code, see DNS_Code - bool QR; ///< query record flag - bool AA; ///< authoritative answer flag - bool TC; ///< truncated - size > 512 bytes for udp - bool RD; ///< recursion desired - bool RA; ///< recursion available - uint8_t Z; ///< 3 bit field (includes AD and CD) - bool AD; ///< authentic data - bool CD; ///< checking disabled - uint16_t qdcount; ///< number of questions - uint16_t ancount; ///< number of answers - uint16_t nscount; ///< number of authority RRs - uint16_t arcount; ///< number of additional RRs - bool is_query = false; ///< whether it came from the session initiator - bool skip_event = false; ///< if true, don't generate corresponding events + uint8_t opcode; ///< query type, see DNS_Opcode + uint16_t rcode; ///< return code, see DNS_Code + bool QR; ///< query record flag + bool AA; ///< authoritative answer flag + bool TC; ///< truncated - size > 512 bytes for udp + bool RD; ///< recursion desired + bool RA; ///< recursion available + uint8_t Z; ///< 3 bit field (includes AD and CD) + bool AD; ///< authentic data + bool CD; ///< checking disabled + uint16_t qd_zo_count; ///< number of questions (or zones for dynamic update) + uint16_t an_pr_count; ///< number of answers (or prerequisites for dynamic update) + uint16_t ns_up_count; ///< number of authority RRs (or updates for dynamic update) + uint16_t arcount; ///< number of additional RRs + bool is_query = false; ///< whether it came from the session initiator + bool skip_event = false; ///< if true, don't generate corresponding events + bool is_dynamic_update = false; ///< whether this message is a dynamic update + bool is_netbios = false; ///< whether this request is from netbios StringValPtr query_name; RR_Type atype = TYPE_ALL; @@ -337,7 +351,7 @@ public: void Timeout() {} -protected: +private: void EndMessage(detail::DNS_MsgInfo* msg); bool ParseQuestions(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* start); @@ -345,6 +359,7 @@ protected: int& len, const u_char* start); bool ParseQuestion(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* start); + bool ParseAnswerHeader(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start); bool ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* start); u_char* ExtractName(const u_char*& data, int& len, u_char* label, int label_len, const u_char* msg_start, From fa6eb6c9281dc4c147d2ff8699c9a831785cb708 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Tue, 9 Sep 2025 13:57:20 -0700 Subject: [PATCH 2/5] Add opcode/opcode_name to DNS log record --- scripts/base/init-bare.zeek | 2 + scripts/base/protocols/dns/consts.zeek | 17 +++++ scripts/base/protocols/dns/main.zeek | 15 +++- src/analyzer/protocol/dns/DNS.cc | 1 + testing/btest/Baseline/core.ipv6-frag/dns.log | 10 +-- .../core.tunnels.gre-over-udp/dns.log | 8 +-- .../Baseline/core.tunnels.gre-pptp/dns.log | 6 +- .../btest/Baseline/core.tunnels.gre/dns.log | 8 +-- .../core.tunnels.gtp.false_gtp/dns.log | 6 +- .../coverage.record-fields/out.default | 2 + testing/btest/Baseline/opt.basic/dns.log | 72 +++++++++---------- .../scripts.base.protocols.dns.binds/dns.log | 6 +- .../dns.log | 6 +- .../scripts.base.protocols.dns.dnskey/dns.log | 6 +- .../scripts.base.protocols.dns.ds/dns.log | 6 +- .../dns.log | 8 +-- .../scripts.base.protocols.dns.flip/dns.log | 6 +- .../scripts.base.protocols.dns.hinfo/.stdout | 2 +- .../scripts.base.protocols.dns.loc/dns.log | 6 +- .../dns.log | 6 +- .../scripts.base.protocols.dns.naptr/out | 2 +- .../scripts.base.protocols.dns.nsec/dns.log | 8 +-- .../scripts.base.protocols.dns.nsec3/dns.log | 6 +- .../dns.log | 6 +- .../scripts.base.protocols.dns.rrsig/dns.log | 12 ++-- .../scripts.base.protocols.dns.spf/dns.log | 6 +- .../scripts.base.protocols.dns.sshfp/dns.log | 8 +-- .../scripts.base.protocols.dns.tkey/dns.log | 6 +- .../scripts.base.protocols.dns.wks/dns.log | 6 +- .../dns.log | 6 +- .../dns.log | 6 +- 31 files changed, 153 insertions(+), 118 deletions(-) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 07aeece67d..ff2f1f1eda 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -2881,6 +2881,8 @@ type dns_msg: record { num_answers: count; ##< Number of answer records. num_auth: count; ##< Number of authoritative records. num_addl: count; ##< Number of additional records. + + is_netbios: bool; ##< Whether this message came from NetBIOS. }; ## A DNS SOA record. diff --git a/scripts/base/protocols/dns/consts.zeek b/scripts/base/protocols/dns/consts.zeek index e39b315c07..59cb77b660 100644 --- a/scripts/base/protocols/dns/consts.zeek +++ b/scripts/base/protocols/dns/consts.zeek @@ -194,4 +194,21 @@ export { [5] = "ech", [6] = "ipv6hint", } &default = function(n: count): string { return fmt("key-%d", n); }; + + ## Mapping of DNS operation type codes to human readable string + ## representation. The NetBIOS opcodes overlap the standard opcodes, + ## hence putting the string versions at invalid values to make lookups + ## possible. + const opcodes = { + [0] = "query", + [1] = "iquery", + [2] = "server-status", + [4] = "notify", + [5] = "dynamic-update", + [6] = "dso", + [0xFFFF5] = "netbios-registration", + [0xFFFF6] = "netbios-release", + [0xFFFF7] = "netbios-wack", + [0xFFFF8] = "netbios-refresh", + } &default = function(n: count): string { return fmt("opcode-%d", n); }; } diff --git a/scripts/base/protocols/dns/main.zeek b/scripts/base/protocols/dns/main.zeek index 4ae48baaac..51453cb840 100644 --- a/scripts/base/protocols/dns/main.zeek +++ b/scripts/base/protocols/dns/main.zeek @@ -71,6 +71,10 @@ export { TTLs: vector of interval &log &optional; ## The DNS query was rejected by the server. rejected: bool &log &default=F; + ## The opcode value of the DNS request/response. + opcode: count &log &optional; + ## A descriptive string for the opcode. + opcode_name: string &log &optional; ## The total number of resource records in a reply message's ## answer section. @@ -343,11 +347,20 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5 if ( msg$rcode != 0 && msg$num_queries == 0 ) c$dns$rejected = T; } + + c$dns$opcode = msg$opcode; + if ( msg$is_netbios ) + if ( msg$opcode >= 5 ) + c$dns$opcode_name = opcodes[msg$opcode + 0xFFFF]; + else + c$dns$opcode_name = fmt("netbios-%s", opcodes[msg$opcode]); + else + c$dns$opcode_name = opcodes[msg$opcode]; } event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5 { - if ( msg$opcode != 0 ) + if ( msg$opcode != 0 && msg$opcode != 5 ) # Currently only standard queries are tracked. return; diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 9591b9260a..5180c6ce70 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -1902,6 +1902,7 @@ RecordValPtr DNS_MsgInfo::BuildHdrVal() { r->Assign(12, an_pr_count); r->Assign(13, ns_up_count); r->Assign(14, arcount); + r->Assign(15, is_netbios); return r; } diff --git a/testing/btest/Baseline/core.ipv6-frag/dns.log b/testing/btest/Baseline/core.ipv6-frag/dns.log index 961b99db02..5182927b0a 100644 --- a/testing/btest/Baseline/core.ipv6-frag/dns.log +++ b/testing/btest/Baseline/core.ipv6-frag/dns.log @@ -5,9 +5,9 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 0.079300 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 136 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 1.000000 F -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 5.084025 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 1.000000 F -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 - txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT - - F F T F 0 - - F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 0.079300 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 136 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 1.000000 F 0 query +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 5.084025 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 1.000000 F 0 query +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 - txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT - - F F T F 0 - - F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.tunnels.gre-over-udp/dns.log b/testing/btest/Baseline/core.tunnels.gre-over-udp/dns.log index c58d047749..d8844e141a 100644 --- a/testing/btest/Baseline/core.tunnels.gre-over-udp/dns.log +++ b/testing/btest/Baseline/core.tunnels.gre-over-udp/dns.log @@ -5,8 +5,8 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.2 51714 1.1.1.1 53 udp 63844 0.054238 zeek.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 192.0.78.150,192.0.78.212 52.000000,52.000000 F -XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.2 51714 1.1.1.1 53 udp 12391 - zeek.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.2 51714 1.1.1.1 53 udp 63844 0.054238 zeek.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 192.0.78.150,192.0.78.212 52.000000,52.000000 F 0 query +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.2 51714 1.1.1.1 53 udp 12391 - zeek.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log b/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log index 3e72d35bcb..a115f90eb2 100644 --- a/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log +++ b/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.16.44.3 40768 8.8.8.8 53 udp 42540 - xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.16.44.3 40768 8.8.8.8 53 udp 42540 - xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.tunnels.gre/dns.log b/testing/btest/Baseline/core.tunnels.gre/dns.log index afb49b3a48..4f2381a2a8 100644 --- a/testing/btest/Baseline/core.tunnels.gre/dns.log +++ b/testing/btest/Baseline/core.tunnels.gre/dns.log @@ -5,8 +5,8 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 66.59.111.190 37675 172.28.2.3 53 udp 48554 - www.gleeble.org 1 C_INTERNET 255 * - - F F T F 0 - - F -XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 66.59.111.190 37675 172.28.2.3 53 udp 48554 - www.gleeble.org 1 C_INTERNET 255 * - - F F T F 0 - - F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 66.59.111.190 37675 172.28.2.3 53 udp 48554 - www.gleeble.org 1 C_INTERNET 255 * - - F F T F 0 - - F 0 query +XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 66.59.111.190 37675 172.28.2.3 53 udp 48554 - www.gleeble.org 1 C_INTERNET 255 * - - F F T F 0 - - F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log index b432817031..22de29eb3d 100644 --- a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log +++ b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.131.24.6 2152 195.178.38.3 53 udp 27595 - abcd.efg.hijklm.nm 1 C_INTERNET 1 A - - F F T F 0 - - F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.131.24.6 2152 195.178.38.3 53 udp 27595 - abcd.efg.hijklm.nm 1 C_INTERNET 1 A - - F F T F 0 - - F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/coverage.record-fields/out.default b/testing/btest/Baseline/coverage.record-fields/out.default index 57dff90ee8..423cce3734 100644 --- a/testing/btest/Baseline/coverage.record-fields/out.default +++ b/testing/btest/Baseline/coverage.record-fields/out.default @@ -100,6 +100,8 @@ connection { * answers: vector of string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } + * opcode: count, log=T, optional=T + * opcode_name: string, log=T, optional=T * proto: enum transport_proto, log=T, optional=F * qclass: count, log=T, optional=T * qclass_name: string, log=T, optional=T diff --git a/testing/btest/Baseline/opt.basic/dns.log b/testing/btest/Baseline/opt.basic/dns.log index e3d84431e8..b770fe024a 100644 --- a/testing/btest/Baseline/opt.basic/dns.log +++ b/testing/btest/Baseline/opt.basic/dns.log @@ -5,40 +5,40 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 141.142.220.118 43927 141.142.2.2 53 udp 42996 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F -XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 141.142.220.118 37676 141.142.2.2 53 udp 26428 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F -XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 141.142.220.118 40526 141.142.2.2 53 udp 26096 0.000392 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F -XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 141.142.220.118 32902 141.142.2.2 53 udp 31201 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F -XXXXXXXXXX.XXXXXX CFLRIC3zaTU1loLGxh 141.142.220.118 59816 141.142.2.2 53 udp 39814 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F -XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 141.142.220.118 59714 141.142.2.2 53 udp 56376 0.000375 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F -XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 141.142.220.118 58206 141.142.2.2 53 udp 51988 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F -XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 141.142.220.118 38911 141.142.2.2 53 udp 1085 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F -XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 141.142.220.118 59746 141.142.2.2 53 udp 10729 0.000421 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F -XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 141.142.220.118 45000 141.142.2.2 53 udp 56663 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F -XXXXXXXXXX.XXXXXX C1Xkzz2MaGtLrc1Tla 141.142.220.118 48479 141.142.2.2 53 udp 41417 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F -XXXXXXXXXX.XXXXXX CqlVyW1YwZ15RhTBc4 141.142.220.118 48128 141.142.2.2 53 udp 49233 0.000423 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F -XXXXXXXXXX.XXXXXX CBA8792iHmnhPLksKa 141.142.220.118 56056 141.142.2.2 53 udp 17147 0.000402 meta.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T T 0 text.wikimedia.org,text.pmtpa.wikimedia.org 723.000000,593.000000 F -XXXXXXXXXX.XXXXXX CGLPPc35OzDQij1XX8 141.142.220.118 55092 141.142.2.2 53 udp 16954 0.000374 meta.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 text.wikimedia.org,text.pmtpa.wikimedia.org,208.80.152.2 723.000000,593.000000,2141.000000 F -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp 0 - gemini._sftp-ssh._tcp.local 1 C_INTERNET 33 SRV - - F F F F 0 - - F -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp 0 - gemini._sftp-ssh._tcp.local - - - - 0 NOERROR T F F F 0 gemini.local 120.000000 F -XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 141.142.220.50 5353 224.0.0.251 5353 udp 0 - gemini._sftp-ssh._tcp.local - - - - 0 NOERROR T F F F 0 gemini.local 120.000000 F -XXXXXXXXXX.XXXXXX Cipfzj1BEnhejw8cGf 141.142.220.44 5353 224.0.0.251 5353 udp 0 - gomez._sftp-ssh._tcp.local 1 C_INTERNET 16 TXT - - F F F F 0 - - F -XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F -XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F -XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F -XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F -XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F -XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F -XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65398 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F -XXXXXXXXXX.XXXXXX CPhDKt12KQPUVbQz06 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F -XXXXXXXXXX.XXXXXX CPhDKt12KQPUVbQz06 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F -XXXXXXXXXX.XXXXXX CAnFrb2Cvxr5T7quOc 141.142.220.226 55131 224.0.0.252 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F -XXXXXXXXXX.XXXXXX CAnFrb2Cvxr5T7quOc 141.142.220.226 55131 224.0.0.252 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F -XXXXXXXXXX.XXXXXX C8rquZ3DjgNW06JGLl fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F -XXXXXXXXXX.XXXXXX C8rquZ3DjgNW06JGLl fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F -XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 141.142.220.226 55671 224.0.0.252 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F -XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 141.142.220.226 55671 224.0.0.252 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F -XXXXXXXXXX.XXXXXX CaGCc13FffXe6RkQl9 141.142.220.238 56641 141.142.220.255 137 udp 9321 - WORKGROUP 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 141.142.220.118 43927 141.142.2.2 53 udp 42996 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query +XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 141.142.220.118 37676 141.142.2.2 53 udp 26428 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F 0 query +XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 141.142.220.118 40526 141.142.2.2 53 udp 26096 0.000392 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F 0 query +XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 141.142.220.118 32902 141.142.2.2 53 udp 31201 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query +XXXXXXXXXX.XXXXXX CFLRIC3zaTU1loLGxh 141.142.220.118 59816 141.142.2.2 53 udp 39814 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F 0 query +XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 141.142.220.118 59714 141.142.2.2 53 udp 56376 0.000375 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F 0 query +XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 141.142.220.118 58206 141.142.2.2 53 udp 51988 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query +XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 141.142.220.118 38911 141.142.2.2 53 udp 1085 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F 0 query +XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 141.142.220.118 59746 141.142.2.2 53 udp 10729 0.000421 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F 0 query +XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 141.142.220.118 45000 141.142.2.2 53 udp 56663 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query +XXXXXXXXXX.XXXXXX C1Xkzz2MaGtLrc1Tla 141.142.220.118 48479 141.142.2.2 53 udp 41417 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F 0 query +XXXXXXXXXX.XXXXXX CqlVyW1YwZ15RhTBc4 141.142.220.118 48128 141.142.2.2 53 udp 49233 0.000423 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F 0 query +XXXXXXXXXX.XXXXXX CBA8792iHmnhPLksKa 141.142.220.118 56056 141.142.2.2 53 udp 17147 0.000402 meta.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T T 0 text.wikimedia.org,text.pmtpa.wikimedia.org 723.000000,593.000000 F 0 query +XXXXXXXXXX.XXXXXX CGLPPc35OzDQij1XX8 141.142.220.118 55092 141.142.2.2 53 udp 16954 0.000374 meta.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 text.wikimedia.org,text.pmtpa.wikimedia.org,208.80.152.2 723.000000,593.000000,2141.000000 F 0 query +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp 0 - gemini._sftp-ssh._tcp.local 1 C_INTERNET 33 SRV - - F F F F 0 - - F 0 query +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp 0 - gemini._sftp-ssh._tcp.local - - - - 0 NOERROR T F F F 0 gemini.local 120.000000 F 0 query +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 141.142.220.50 5353 224.0.0.251 5353 udp 0 - gemini._sftp-ssh._tcp.local - - - - 0 NOERROR T F F F 0 gemini.local 120.000000 F 0 query +XXXXXXXXXX.XXXXXX Cipfzj1BEnhejw8cGf 141.142.220.44 5353 224.0.0.251 5353 udp 0 - gomez._sftp-ssh._tcp.local 1 C_INTERNET 16 TXT - - F F F F 0 - - F 0 query +XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query +XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query +XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query +XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query +XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query +XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query +XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65398 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query +XXXXXXXXXX.XXXXXX CPhDKt12KQPUVbQz06 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query +XXXXXXXXXX.XXXXXX CPhDKt12KQPUVbQz06 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query +XXXXXXXXXX.XXXXXX CAnFrb2Cvxr5T7quOc 141.142.220.226 55131 224.0.0.252 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query +XXXXXXXXXX.XXXXXX CAnFrb2Cvxr5T7quOc 141.142.220.226 55131 224.0.0.252 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query +XXXXXXXXXX.XXXXXX C8rquZ3DjgNW06JGLl fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query +XXXXXXXXXX.XXXXXX C8rquZ3DjgNW06JGLl fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query +XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 141.142.220.226 55671 224.0.0.252 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query +XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 141.142.220.226 55671 224.0.0.252 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query +XXXXXXXXXX.XXXXXX CaGCc13FffXe6RkQl9 141.142.220.238 56641 141.142.220.255 137 udp 9321 - WORKGROUP 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.binds/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.binds/dns.log index 0523babdcd..2da96d4fe1 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.binds/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.binds/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string] -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.74 51871 10.87.1.10 53 udp 27571 0.002004 example.net 1 C_INTERNET 65534 query-65534 0 NOERROR T F T T 2 BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal 0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000 F - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.74 51871 10.87.1.10 53 udp 27571 0.002004 example.net 1 C_INTERNET 65534 query-65534 0 NOERROR T F T T 2 BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal 0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000 F 0 query - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log index 10731dedca..f7b9ead08f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.6.10 53209 192.168.129.36 53 udp 41477 0.075138 paypal.com 1 C_INTERNET 48 DNSKEY 0 NOERROR F F T T 1 DNSKEY 5,DNSKEY 5,RRSIG 48 paypal.com,RRSIG 48 paypal.com 455.000000,455.000000,455.000000,455.000000 F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.6.10 53209 192.168.129.36 53 udp 41477 0.075138 paypal.com 1 C_INTERNET 48 DNSKEY 0 NOERROR F F T T 1 DNSKEY 5,DNSKEY 5,RRSIG 48 paypal.com,RRSIG 48 paypal.com 455.000000,455.000000,455.000000,455.000000 F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dnskey/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.dnskey/dns.log index 4469f9be70..0da81c60c5 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.dnskey/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.dnskey/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.153.129 50729 192.168.153.2 53 udp 22666 0.018166 upenn.edu 1 C_INTERNET 48 DNSKEY 0 NOERROR F F T T 2 DNSKEY 5,DNSKEY 5,DNSKEY 5,RRSIG 48 upenn.edu,RRSIG 48 upenn.edu 5.000000,5.000000,5.000000,3444.000000,3444.000000 F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.153.129 50729 192.168.153.2 53 udp 22666 0.018166 upenn.edu 1 C_INTERNET 48 DNSKEY 0 NOERROR F F T T 2 DNSKEY 5,DNSKEY 5,DNSKEY 5,RRSIG 48 upenn.edu,RRSIG 48 upenn.edu 5.000000,5.000000,5.000000,3444.000000,3444.000000 F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.ds/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.ds/dns.log index 722a1610c5..1ebaf776af 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.ds/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.ds/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.153.129 50729 192.168.153.2 53 udp 39080 0.017821 upenn.edu 1 C_INTERNET 43 DS 0 NOERROR F F T T 2 DS 5 1,DS 5 2,RRSIG 43 edu 5.000000,5.000000,5.000000 F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.153.129 50729 192.168.153.2 53 udp 39080 0.017821 upenn.edu 1 C_INTERNET 43 DS 0 NOERROR F F T T 2 DS 5 1,DS 5 2,RRSIG 43 edu 5.000000,5.000000,5.000000 F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log index 413e432dd4..27dfd926ce 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log @@ -5,8 +5,8 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 udp 21140 0.000214 www.cmu.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 udp 21140 - www.cmu.edu - - - - 0 NOERROR T F F F 0 www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 udp 21140 0.000214 www.cmu.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F 0 query +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 udp 21140 - www.cmu.edu - - - - 0 NOERROR T F F F 0 www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log index 15cefbf674..eb4c38becb 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.20.1.31 53 207.158.192.40 53 udp 25701 - us.v27.distributed.net - - - - 0 NOERROR T F F T 0 206.109.64.186,216.1.205.81,205.149.163.211,134.53.131.135,134.53.131.192,128.104.18.148,204.152.186.139,63.77.33.226 900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000 F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.20.1.31 53 207.158.192.40 53 udp 25701 - us.v27.distributed.net - - - - 0 NOERROR T F F T 0 206.109.64.186,216.1.205.81,205.149.163.211,134.53.131.135,134.53.131.192,128.104.18.148,204.152.186.139,63.77.33.226 900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000 F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.hinfo/.stdout b/testing/btest/Baseline/scripts.base.protocols.dns.hinfo/.stdout index b8a08b28b6..da0e2191d6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.hinfo/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.dns.hinfo/.stdout @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -HINFO, [id=51592, opcode=0, rcode=0, QR=T, AA=T, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=1], [answer_type=1, query=zeek.example.net, qtype=13, qclass=1, TTL=1.0 hr], INTEL-386, Windows +HINFO, [id=51592, opcode=0, rcode=0, QR=T, AA=T, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=1, is_netbios=F], [answer_type=1, query=zeek.example.net, qtype=13, qclass=1, TTL=1.0 hr], INTEL-386, Windows diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.loc/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.loc/dns.log index d4fff0319d..bd560524f5 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.loc/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.loc/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 79.141.82.250 57483 192.188.22.52 53 udp 33295 0.000195 sunn-pt1.es.net 1 C_INTERNET 255 * 0 NOERROR T F F F 0 LOC: 18 21 19,RRSIG 29 es.net 600.000000,600.000000 F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 79.141.82.250 57483 192.188.22.52 53 udp 33295 0.000195 sunn-pt1.es.net 1 C_INTERNET 255 * 0 NOERROR T F F F 0 LOC: 18 21 19,RRSIG 29 es.net 600.000000,600.000000 F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log index 3e281dfacd..6e6ece5232 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.50 51946 68.142.255.16 53 udp 28079 - flkr._domainkey.flickr.com - - - - 0 NOERROR T F F F 0 fa14._domainkey.flickr.com,fa14._domainkey.yahoo.com,TXT 127 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPdPfyJM2R2GqMyZM1flTzFeDIU+e7KmiKRw5yz3Xht+cgEIiHmm5lIGBuWCc5rtiy0CcxePpqccPKjn TXT 98 HSrDI23PU+HOuqJ6ergE1IOsL6LOEgG6YT53vMb8Z6UiBSsYPlrDEC+8CUIkTLMLXJauRK5bNRKV1ATGzGFpf3TjZtWwIDAQAB 900.000000,900.000000,7200.000000 F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.50 51946 68.142.255.16 53 udp 28079 - flkr._domainkey.flickr.com - - - - 0 NOERROR T F F F 0 fa14._domainkey.flickr.com,fa14._domainkey.yahoo.com,TXT 127 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPdPfyJM2R2GqMyZM1flTzFeDIU+e7KmiKRw5yz3Xht+cgEIiHmm5lIGBuWCc5rtiy0CcxePpqccPKjn TXT 98 HSrDI23PU+HOuqJ6ergE1IOsL6LOEgG6YT53vMb8Z6UiBSsYPlrDEC+8CUIkTLMLXJauRK5bNRKV1ATGzGFpf3TjZtWwIDAQAB 900.000000,900.000000,7200.000000 F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.naptr/out b/testing/btest/Baseline/scripts.base.protocols.dns.naptr/out index 978e884e28..3146d6e353 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.naptr/out +++ b/testing/btest/Baseline/scripts.base.protocols.dns.naptr/out @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -NAPTR, [id=20970, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=0], [answer_type=1, query=fp-de-carrier-vodafone.rcs.telephony.goog, qtype=35, qclass=1, TTL=2.0 mins 48.0 secs], [order=100, preference=100, flags=s, service=SIPS+D2T, regexp=, replacement=_sips._tcp.fp-de-carrier-vodafone.rcs.telephony.goog] +NAPTR, [id=20970, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=0, is_netbios=F], [answer_type=1, query=fp-de-carrier-vodafone.rcs.telephony.goog, qtype=35, qclass=1, TTL=2.0 mins 48.0 secs], [order=100, preference=100, flags=s, service=SIPS+D2T, regexp=, replacement=_sips._tcp.fp-de-carrier-vodafone.rcs.telephony.goog] diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.nsec/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.nsec/dns.log index 2158ba4db1..17d0935a2e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.nsec/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.nsec/dns.log @@ -5,8 +5,8 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string] -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 35.184.172.191 57073 128.175.13.16 53 udp 130 - dla.library.upenn.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F F F 1 - - F RRSIG 47 upenn.edu,RRSIG 6 upenn.edu,NSEC dla.library.upenn.edu dlxssvr.library.upenn.edu,assailants.net.isc.upenn.edu - -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 35.184.172.191 50693 128.175.13.16 53 udp 51063 0.001515 www.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www.upenn.edgekey.net,RRSIG 5 upenn.edu 300.000000,300.000000 F - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 35.184.172.191 57073 128.175.13.16 53 udp 130 - dla.library.upenn.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F F F 1 - - F 0 query RRSIG 47 upenn.edu,RRSIG 6 upenn.edu,NSEC dla.library.upenn.edu dlxssvr.library.upenn.edu,assailants.net.isc.upenn.edu - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 35.184.172.191 50693 128.175.13.16 53 udp 51063 0.001515 www.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www.upenn.edgekey.net,RRSIG 5 upenn.edu 300.000000,300.000000 F 0 query - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.nsec3/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.nsec3/dns.log index a28155d58f..a66d5d7039 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.nsec3/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.nsec3/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string] -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.102 49324 192.168.1.1 53 udp 9835 - foobar.sshfp.net 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 2 - - F ns0.weberdns.de,RRSIG 6 sshfp.net,NSEC3,RRSIG 50 sshfp.net - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.102 49324 192.168.1.1 53 udp 9835 - foobar.sshfp.net 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 2 - - F 0 query ns0.weberdns.de,RRSIG 6 sshfp.net,NSEC3,RRSIG 50 sshfp.net - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/dns.log index ef0bca3662..af633a7b8f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string] -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 53540 10.87.1.54 53 udp 15626 0.522010 sshfp.net 1 C_INTERNET 51 NSEC3PARAM 0 NOERROR F F T T 2 NSEC3PARAM 0.000000 F - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 53540 10.87.1.54 53 udp 15626 0.522010 sshfp.net 1 C_INTERNET 51 NSEC3PARAM 0 NOERROR F F T T 2 NSEC3PARAM 0.000000 F 0 query - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.rrsig/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.rrsig/dns.log index b00dcbd4f9..b952e2573d 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.rrsig/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.rrsig/dns.log @@ -5,10 +5,10 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 35.184.172.191 10267 128.175.13.16 53 udp 17129 0.003405 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F -XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 35.184.172.191 50056 128.175.13.16 53 udp 26222 0.003363 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F -XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 35.184.172.191 39975 128.175.13.16 53 udp 27118 0.003748 workfamily.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 quasar.sas.upenn.edu,RRSIG 5 upenn.edu,128.91.234.145,RRSIG 1 upenn.edu 900.000000,900.000000,30.000000,30.000000 F -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 35.184.172.191 5386 128.175.13.16 53 udp 62809 - virgo.sas.upenn.edu 1 C_INTERNET 1 A - - F F F F 1 - - F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 35.184.172.191 10267 128.175.13.16 53 udp 17129 0.003405 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F 0 query +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 35.184.172.191 50056 128.175.13.16 53 udp 26222 0.003363 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F 0 query +XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 35.184.172.191 39975 128.175.13.16 53 udp 27118 0.003748 workfamily.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 quasar.sas.upenn.edu,RRSIG 5 upenn.edu,128.91.234.145,RRSIG 1 upenn.edu 900.000000,900.000000,30.000000,30.000000 F 0 query +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 35.184.172.191 5386 128.175.13.16 53 udp 62809 - virgo.sas.upenn.edu 1 C_INTERNET 1 A - - F F F F 1 - - F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.spf/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.spf/dns.log index 0c4eca5dd4..aa5504a159 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.spf/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.spf/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.91.0.62 57806 10.91.1.59 53 udp 64161 - mail.vladg.net - - - - 0 NOERROR F F F T 0 SPF 19 v=spf1 mx -all test,SPF 14 v=spf1 mx -all 300.000000,300.000000 F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.91.0.62 57806 10.91.1.59 53 udp 64161 - mail.vladg.net - - - - 0 NOERROR F F F T 0 SPF 19 v=spf1 mx -all test,SPF 14 v=spf1 mx -all 300.000000,300.000000 F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.sshfp/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.sshfp/dns.log index b890435327..9830e5e79f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.sshfp/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.sshfp/dns.log @@ -5,8 +5,8 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 128.3.121.180 54109 192.188.22.52 53 udp 40916 0.000200 mon.lbl.gov 1 C_INTERNET 44 SSHFP 0 NOERROR T F F F 1 SSHFP: a6b95f9eba1104a7272a362e8bfbcbebd5726dcf,SSHFP: 520711b47c300b819cfb696a845007c420de4df30ae3953004b6cfb2bd2c6a46,SSHFP: 5b72c59cceaea2c210f14156e20e6aff829b3e3b,SSHFP: c052721a978470b36fe5b9222f234400f369172b,SSHFP: 0b24d970aa05b708804d35eea3a8c1a6c355e545,SSHFP: 2870056915073c1e189fc7bf04bbce4512be09a0104f64ae3cfa072b8e06dd2b,SSHFP: 562cb91a82129b62ee4fd92ca202a72b844b7e84ac29dec75654453550201e82,SSHFP: c692deb7667ceee670d3e6863b5de7b140fe0ba0183a52f6ccbb4247f7b0ab29,RRSIG 44 lbl.gov 43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000 F -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 128.3.121.180 54109 192.188.22.52 53 udp 22044 - n0019.savio1.lbl.gov 1 C_INTERNET 1 A 3 NXDOMAIN F F F F 0 - - F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 128.3.121.180 54109 192.188.22.52 53 udp 40916 0.000200 mon.lbl.gov 1 C_INTERNET 44 SSHFP 0 NOERROR T F F F 1 SSHFP: a6b95f9eba1104a7272a362e8bfbcbebd5726dcf,SSHFP: 520711b47c300b819cfb696a845007c420de4df30ae3953004b6cfb2bd2c6a46,SSHFP: 5b72c59cceaea2c210f14156e20e6aff829b3e3b,SSHFP: c052721a978470b36fe5b9222f234400f369172b,SSHFP: 0b24d970aa05b708804d35eea3a8c1a6c355e545,SSHFP: 2870056915073c1e189fc7bf04bbce4512be09a0104f64ae3cfa072b8e06dd2b,SSHFP: 562cb91a82129b62ee4fd92ca202a72b844b7e84ac29dec75654453550201e82,SSHFP: c692deb7667ceee670d3e6863b5de7b140fe0ba0183a52f6ccbb4247f7b0ab29,RRSIG 44 lbl.gov 43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000 F 0 query +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 128.3.121.180 54109 192.188.22.52 53 udp 22044 - n0019.savio1.lbl.gov 1 C_INTERNET 1 A 3 NXDOMAIN F F F F 0 - - F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.tkey/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.tkey/dns.log index 448fe06fb1..8ef367812e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.tkey/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.tkey/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.106 50138 192.168.1.108 53 tcp 52640 - 1068-ms-7.309-2c6e448.7a9463b8-b109-11ed-26a3-080027f220e5 1 C_INTERNET 249 TKEY 0 NOERROR F F F F 0 - - F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.106 50138 192.168.1.108 53 tcp 52640 - 1068-ms-7.309-2c6e448.7a9463b8-b109-11ed-26a3-080027f220e5 1 C_INTERNET 249 TKEY 0 NOERROR F F F F 0 - - F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log index 5cb0f62ae5..d565677c98 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string] -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 60059 10.87.1.10 53 udp 63119 0.001993 zeek.example.net 1 C_INTERNET 11 WKS 0 NOERROR T F T T 2 - - F - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 60059 10.87.1.10 53 udp 63119 0.001993 zeek.example.net 1 C_INTERNET 11 WKS 0 NOERROR T F T T 2 - - F 0 query - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log index 0dfd8de2e2..3a9e0a6b31 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.64 49204 146.186.163.66 53 udp 17323 - psu.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.64 49204 146.186.163.66 53 udp 17323 - psu.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.dns.original_case/dns.log b/testing/btest/Baseline/scripts.policy.protocols.dns.original_case/dns.log index 9140a273a7..29bf6b8a02 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.dns.original_case/dns.log +++ b/testing/btest/Baseline/scripts.policy.protocols.dns.original_case/dns.log @@ -5,7 +5,7 @@ #unset_field - #path dns #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected original_query -#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.3.138 63374 192.168.3.1 53 udp 20877 - us.v27.distributed.net 1 C_INTERNET 1 A - - F F T F 2 - - F Us.V27.DiStRiBuTeD.NET +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name original_query +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.3.138 63374 192.168.3.1 53 udp 20877 - us.v27.distributed.net 1 C_INTERNET 1 A - - F F T F 2 - - F 0 query Us.V27.DiStRiBuTeD.NET #close XXXX-XX-XX-XX-XX-XX From d344f015e0ca3808de0a0731102eb4ba71e759bd Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Tue, 9 Sep 2025 15:14:10 -0700 Subject: [PATCH 3/5] Add basic event for emitting DNS dynamic update data This also changes the existing DU btest from checking to ensure a weird was emitted to checking the output from the event. --- scripts/base/init-bare.zeek | 10 +++++----- src/analyzer/protocol/dns/DNS.cc | 9 +++++++++ src/analyzer/protocol/dns/DNS.h | 2 +- src/analyzer/protocol/dns/events.bif | 13 +++++++++++++ .../scripts.base.protocols.dns.dynamic-update/out | 5 +++++ .../weird.log | 12 ------------ .../scripts/base/protocols/dns/dynamic-update.zeek | 12 +++++++++--- 7 files changed, 42 insertions(+), 21 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.dynamic-update/out delete mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.dynamic-update/weird.log diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index ff2f1f1eda..4532401717 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -2861,7 +2861,7 @@ global pkt_profile_file: file &redef; ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_message dns_query_reply dns_rejected dns_request +## dns_message dns_query_reply dns_rejected dns_request dns_dynamic_update type dns_msg: record { id: count; ##< Transaction ID. @@ -2877,12 +2877,12 @@ type dns_msg: record { AD: bool; ##< authentic data CD: bool; ##< checking disabled - num_queries: count; ##< Number of query records. - num_answers: count; ##< Number of answer records. - num_auth: count; ##< Number of authoritative records. + num_queries: count; ##< Number of query records. For dynamic update messages, this is the number of zones. + num_answers: count; ##< Number of answer records. For dynamic update messages, this is the number of prerequisites. + num_auth: count; ##< Number of authoritative records. For dynamic update messages, this is the number of updates. num_addl: count; ##< Number of additional records. - is_netbios: bool; ##< Whether this message came from NetBIOS. + is_netbios: bool; ##< Whether this message came from NetBIOS. }; ## A DNS SOA record. diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 5180c6ce70..e09a178023 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -136,6 +136,9 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) { return; } + StringValPtr zname = msg.query_name; + uint32_t zclass = msg.aclass; + if ( ! ParseAnswers(&msg, msg.an_pr_count, detail::DNS_PREREQUISITES, data, len, msg_start) ) { EndMessage(&msg); return; @@ -145,6 +148,12 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) { EndMessage(&msg); return; } + + // Send an event if the first three parts parsed correctly, since they're the + // actual update bits. + if ( dns_dynamic_update ) + analyzer->EnqueueConnEvent(dns_dynamic_update, analyzer->ConnVal(), msg.BuildHdrVal(), zname, + val_mgr->Count(zclass)); } else { if ( ! ParseQuestions(&msg, data, len, msg_start) ) { diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index d0921fe6c7..e86d7c6f55 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -337,7 +337,7 @@ public: StringValPtr query_name; RR_Type atype = TYPE_ALL; - int aclass = 0; ///< normally = 1, inet + uint16_t aclass = 0; ///< normally = 1, inet uint32_t ttl = 0; DNS_AnswerType answer_type = DNS_QUESTION; diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif index f9bb501157..c5afb755e6 100644 --- a/src/analyzer/protocol/dns/events.bif +++ b/src/analyzer/protocol/dns/events.bif @@ -836,3 +836,16 @@ event dns_HTTPS%(c: connection, msg: dns_msg, ans: dns_answer, https: dns_svcb_r ## dns_rejected dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_end%(c: connection, msg: dns_msg%); + +## Generated for DNS Dynamic Update messages. See `RFC for Dynamic Updates in the Domain Name System (DNS UPDATE) = 0.63. +[id=47952, opcode=5, rcode=0, QR=F, AA=F, TC=F, RD=F, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=3, num_addl=1, is_netbios=F], stratolab.org, 1, C_INTERNET +[id=47952, opcode=5, rcode=5, QR=T, AA=F, TC=F, RD=F, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=3, num_addl=1, is_netbios=F], stratolab.org, 1, C_INTERNET +[id=61191, opcode=5, rcode=0, QR=F, AA=F, TC=F, RD=F, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=3, num_addl=0, is_netbios=F], stratolab.org, 1, C_INTERNET +[id=61191, opcode=5, rcode=0, QR=T, AA=F, TC=F, RD=F, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=3, num_addl=0, is_netbios=F], stratolab.org, 1, C_INTERNET diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dynamic-update/weird.log b/testing/btest/Baseline/scripts.base.protocols.dns.dynamic-update/weird.log deleted file mode 100644 index 77bb64abc0..0000000000 --- a/testing/btest/Baseline/scripts.base.protocols.dns.dynamic-update/weird.log +++ /dev/null @@ -1,12 +0,0 @@ -### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path weird -#open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source -#types time string addr port addr port string string bool string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.106 62763 192.168.1.108 53 DNS_unknown_opcode 5 F zeek DNS -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.1.105 62763 192.168.1.108 53 DNS_unknown_opcode 5 F zeek DNS -#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/scripts/base/protocols/dns/dynamic-update.zeek b/testing/btest/scripts/base/protocols/dns/dynamic-update.zeek index 704ee0bb1a..dfc7de0a09 100644 --- a/testing/btest/scripts/base/protocols/dns/dynamic-update.zeek +++ b/testing/btest/scripts/base/protocols/dns/dynamic-update.zeek @@ -1,6 +1,12 @@ -# @TEST-DOC: Tests that a DNS dynamic update packet doesn't error but reports an unknown opcode weird -# @TEST-EXEC: zeek -b -C -r $TRACES/dns/dynamic-update.pcap %INPUT -# @TEST-EXEC: btest-diff weird.log +# @TEST-DOC: Tests that a DNS dynamic update packet is processed. +# @TEST-EXEC: zeek -b -C -r $TRACES/dns/dynamic-update.pcap %INPUT >out 2>&1 +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: ! test -f weird.log @load base/frameworks/notice/weird @load base/protocols/dns + +event dns_dynamic_update(c: connection, msg: dns_msg, zname: string, zclass: count) + { + print msg, zname, zclass, DNS::classes[zclass]; + } From fb0fdf1dcf468a5e89e291c317576cdf037e5112 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Fri, 12 Sep 2025 08:51:06 -0700 Subject: [PATCH 4/5] Update zeek-testing and zeek-testing-private commit hashes --- testing/external/commit-hash.zeek-testing | 2 +- testing/external/commit-hash.zeek-testing-private | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index f88d37e597..12478e9d4f 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -31094f4840d0abc8fdf7f810e281851bd057931b +93e95f45b065ad643caafe9a1d7f67387985d3f9 diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index 0c6db43a2e..f11d6afe5e 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -2b90a083a2b35a2a3c1d71ff92318c7a11263cd6 +4d4fcbd54edb09c76e840d8a95e5f662c44d5edb From 07804232e6cbd2bfdd633183081ed82729686a6a Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 29 Sep 2025 15:58:48 -0700 Subject: [PATCH 5/5] fixup! Add opcode/opcode_name to DNS log record --- scripts/base/protocols/dns/consts.zeek | 20 +++++++++++-------- scripts/base/protocols/dns/main.zeek | 5 +---- testing/external/commit-hash.zeek-testing | 2 +- .../external/commit-hash.zeek-testing-private | 2 +- 4 files changed, 15 insertions(+), 14 deletions(-) diff --git a/scripts/base/protocols/dns/consts.zeek b/scripts/base/protocols/dns/consts.zeek index 59cb77b660..32f7aa8934 100644 --- a/scripts/base/protocols/dns/consts.zeek +++ b/scripts/base/protocols/dns/consts.zeek @@ -195,10 +195,7 @@ export { [6] = "ipv6hint", } &default = function(n: count): string { return fmt("key-%d", n); }; - ## Mapping of DNS operation type codes to human readable string - ## representation. The NetBIOS opcodes overlap the standard opcodes, - ## hence putting the string versions at invalid values to make lookups - ## possible. + ## Mapping of DNS operation type codes to human readable string representation. const opcodes = { [0] = "query", [1] = "iquery", @@ -206,9 +203,16 @@ export { [4] = "notify", [5] = "dynamic-update", [6] = "dso", - [0xFFFF5] = "netbios-registration", - [0xFFFF6] = "netbios-release", - [0xFFFF7] = "netbios-wack", - [0xFFFF8] = "netbios-refresh", } &default = function(n: count): string { return fmt("opcode-%d", n); }; + + ## Mapping of DNS operation type codes to human readable string representation for + ## NetBIOS Name Service (NBNS) queries. These codes are defined in + ## https://datatracker.ietf.org/doc/html/rfc1002#section-4.2.1.1 + const netbios_opcodes = { + [0] = "netbios-query", + [5] = "netbios-registration", + [6] = "netbios-release", + [7] = "netbios-wack", + [8] = "netbios-refresh", + } &default = function(n: count): string { return fmt("netbios-opcode-%d", n); }; } diff --git a/scripts/base/protocols/dns/main.zeek b/scripts/base/protocols/dns/main.zeek index 51453cb840..f39ec925b6 100644 --- a/scripts/base/protocols/dns/main.zeek +++ b/scripts/base/protocols/dns/main.zeek @@ -350,10 +350,7 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5 c$dns$opcode = msg$opcode; if ( msg$is_netbios ) - if ( msg$opcode >= 5 ) - c$dns$opcode_name = opcodes[msg$opcode + 0xFFFF]; - else - c$dns$opcode_name = fmt("netbios-%s", opcodes[msg$opcode]); + c$dns$opcode_name = netbios_opcodes[msg$opcode]; else c$dns$opcode_name = opcodes[msg$opcode]; } diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index 12478e9d4f..7758b32c42 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -93e95f45b065ad643caafe9a1d7f67387985d3f9 +0f0a78fbe0bc690bede40da17d30c1fd2db273c6 diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index f11d6afe5e..5f50ea511c 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -4d4fcbd54edb09c76e840d8a95e5f662c44d5edb +80860e185460d347c969c04977fa7e99dff9eaab