Skip to content

Commit

Permalink
DNS: try to simplify the code
Browse files Browse the repository at this point in the history 
Set the classification in only one place in the code.
  • Loading branch information
@IvanNardi
IvanNardi committed Feb 12, 2025
1 parent baca06b commit f63f050
Show file tree
Hide file tree
Showing 13 changed files with 127 additions and 38 deletions.
48 changes: 13 additions & 35 deletions src/lib/protocols/dns.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -625,17 +625,6 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
x += data_len;
}
}

if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DNS)
|| (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_DNS)) {
/* Request already set the protocol */
// flow->extra_packets_func = NULL; /* Removed so the caller can keep dissecting DNS flows */
} else {
/* We missed the request */
u_int16_t s_port = packet->udp ? ntohs(packet->udp->source) : ntohs(packet->tcp->source);

ndpi_set_detected_protocol(ndpi_struct, flow, checkPort(s_port), NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
}
}
}
}
Expand Down Expand Up @@ -839,20 +828,24 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
/* Report if this is a DNS query or reply */
flow->protos.dns.is_query = is_query;

if(is_query) {
/* In this case we say that the protocol has been detected just to let apps carry on with their activities */
if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN ||
ret.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) {

ndpi_set_detected_protocol(ndpi_struct, flow, ret.proto.app_protocol, ret.proto.master_protocol, NDPI_CONFIDENCE_DPI);

if(ndpi_struct->cfg.dns_parse_response_enabled) {
/* We have never triggered extra-dissection for LLMNR. Keep the old behaviour */
if(ret.proto.master_protocol != NDPI_PROTOCOL_LLMNR) {
/* Don't use just 1 as in TCP DNS more packets could be returned (e.g. ACK). */
flow->max_extra_packets_to_check = 5;
flow->extra_packets_func = search_dns_again;
if(is_query) {
if(ndpi_struct->cfg.dns_parse_response_enabled) {
/* We have never triggered extra-dissection for LLMNR. Keep the old behavior */
if(ret.proto.master_protocol != NDPI_PROTOCOL_LLMNR) {
/* Don't use just 1 as in TCP DNS more packets could be returned (e.g. ACK). */
flow->max_extra_packets_to_check = 5;
flow->extra_packets_func = search_dns_again;
}
}
}
return; /* The response will set the verdict */
}
if(is_query)
return;

if(strlen(flow->host_server_name) > 0)

Expand All @@ -865,21 +858,6 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
flow->protos.dns.reply_code, flow->protos.dns.rsp_type, flow->host_server_name
);
#endif

if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
/**
Do not set the protocol with DNS if ndpi_match_host_subprotocol() has
matched a subprotocol
**/
NDPI_LOG_INFO(ndpi_struct, "found DNS\n");
ndpi_set_detected_protocol(ndpi_struct, flow, ret.proto.app_protocol, ret.proto.master_protocol, NDPI_CONFIDENCE_DPI);
} else {
if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DNS)
|| (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_DNS))
;
else
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
}

if(flow->packet_counter > 3)
Expand Down
Binary file added tests/cfgs/default/pcap/dns_retransmissions.pcap
View file
Binary file not shown.
27 changes: 27 additions & 0 deletions tests/cfgs/default/result/dns_retransmissions.pcap.out
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
DPI Packets (UDP): 3 (3.00 pkts/flow)
Confidence DPI : 1 (flows)
Num dissector calls: 1 (1.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache stun: 0/0/0 (insert/search/found)
LRU cache tls_cert: 0/0/0 (insert/search/found)
LRU cache mining: 0/0/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
LRU cache fpc_dns: 1/0/0 (insert/search/found)
Automa host: 3/3 (search/found)
Automa domain: 3/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 1/0 (search/found)
Automa common alpns: 0/0 (search/found)
Patricia risk mask: 2/0 (search/found)
Patricia risk mask IPv6: 0/0 (search/found)
Patricia risk: 1/0 (search/found)
Patricia risk IPv6: 0/0 (search/found)
Patricia protocols: 1/1 (search/found)
Patricia protocols IPv6: 0/0 (search/found)

DNS 4 450 1

Acceptable 4 450 1

1 UDP 37.41.101.140:11892 <-> 208.67.222.222:53 [VLAN: 103][proto: 5/DNS][IP: 225/OpenDNS][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/150 bytes <-> 2 pkts/300 bytes][Goodput ratio: 38/69][0.20 sec][Hostname/SNI: api.msn.com][204.79.197.203][DNS Id: 0xb8e2][PLAIN TEXT (msedge)][Plen Bins: 50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
2 changes: 1 addition & 1 deletion tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ LRU cache fpc_dns: 0/63/0 (insert/search/found)
Automa host: 244/0 (search/found)
Automa domain: 237/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 127/0 (search/found)
Automa risk mask: 128/0 (search/found)
Automa common alpns: 0/0 (search/found)
Patricia risk mask: 374/0 (search/found)
Patricia risk mask IPv6: 0/0 (search/found)
Expand Down
0 ...s/dns_subclassification_enable/config.txt → tests/cfgs/dns_sub_enable/config.txt
View file
File renamed without changes.
0 ...ns_subclassification_enable/pcap/dns.pcap → tests/cfgs/dns_sub_enable/pcap/dns.pcap
View file
File renamed without changes.
1 change: 1 addition & 0 deletions tests/cfgs/dns_sub_enable/pcap/dns2.pcap
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../default/pcap/dns2.pcap
1 change: 1 addition & 0 deletions tests/cfgs/dns_sub_enable/pcap/dns_multiple_transactions_same_flow.pcap
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../default/pcap/dns_multiple_transactions_same_flow.pcap
1 change: 1 addition & 0 deletions tests/cfgs/dns_sub_enable/pcap/dns_retransmissions.pcap
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../default/pcap/dns_retransmissions.pcap
4 changes: 2 additions & 2 deletions ...classification_enable/result/dns.pcap.out → ...s/cfgs/dns_sub_enable/result/dns.pcap.out
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,9 @@ LRU cache fpc_dns: 1/0/0 (insert/search/found)
Automa host: 3/3 (search/found)
Automa domain: 3/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 1/0 (search/found)
Automa risk mask: 2/0 (search/found)
Automa common alpns: 0/0 (search/found)
Patricia risk mask: 2/0 (search/found)
Patricia risk mask: 4/0 (search/found)
Patricia risk mask IPv6: 0/0 (search/found)
Patricia risk: 1/0 (search/found)
Patricia risk IPv6: 0/0 (search/found)
Expand Down
27 changes: 27 additions & 0 deletions tests/cfgs/dns_sub_enable/result/dns2.pcap.out
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
DPI Packets (UDP): 3 (3.00 pkts/flow)
Confidence DPI : 1 (flows)
Num dissector calls: 1 (1.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache stun: 0/0/0 (insert/search/found)
LRU cache tls_cert: 0/0/0 (insert/search/found)
LRU cache mining: 0/0/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
LRU cache fpc_dns: 0/0/0 (insert/search/found)
Automa host: 3/3 (search/found)
Automa domain: 3/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 1/0 (search/found)
Automa common alpns: 0/0 (search/found)
Patricia risk mask: 2/0 (search/found)
Patricia risk mask IPv6: 0/0 (search/found)
Patricia risk: 0/0 (search/found)
Patricia risk IPv6: 0/0 (search/found)
Patricia protocols: 1/1 (search/found)
Patricia protocols IPv6: 0/0 (search/found)

Github 4 405 1

Acceptable 4 405 1

1 UDP 192.168.255.251:56550 <-> 8.8.8.8:53 [proto: 5.203/DNS.Github][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5.203/DNS.Github, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/148 bytes <-> 2 pkts/257 bytes][Goodput ratio: 43/67][0.03 sec][Hostname/SNI: www.github.com][0.0.0.0][DNS Id: 0xeaef][PLAIN TEXT (github)][Plen Bins: 0,75,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
27 changes: 27 additions & 0 deletions tests/cfgs/dns_sub_enable/result/dns_multiple_transactions_same_flow.pcap.out
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
DPI Packets (UDP): 2 (2.00 pkts/flow)
Confidence DPI : 1 (flows)
Num dissector calls: 1 (1.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache stun: 0/0/0 (insert/search/found)
LRU cache tls_cert: 0/0/0 (insert/search/found)
LRU cache mining: 0/0/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
LRU cache fpc_dns: 1/0/0 (insert/search/found)
Automa host: 2/2 (search/found)
Automa domain: 2/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 1/0 (search/found)
Automa common alpns: 0/0 (search/found)
Patricia risk mask: 2/0 (search/found)
Patricia risk mask IPv6: 0/0 (search/found)
Patricia risk: 0/0 (search/found)
Patricia risk IPv6: 0/0 (search/found)
Patricia protocols: 2/0 (search/found)
Patricia protocols IPv6: 0/0 (search/found)

Google 80 10969 1

Acceptable 80 10969 1

1 UDP 192.168.1.204:50234 <-> 192.168.1.253:53 [proto: 5.126/DNS.Google][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5.126/DNS.Google, Confidence: DPI][DPI packets: 2][cat: Network/14][40 pkts/3152 bytes <-> 40 pkts/7817 bytes][Goodput ratio: 47/78][403.67 sec][Hostname/SNI: www.google.com][142.251.209.36][DNS Id: 0x1655][bytes ratio: -0.425 (Download)][IAT c2s/s2c min/avg/max/stddev: 23/9 11635/11637 110617/110608 23370/23370][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 79/195 94/356 9/104][PLAIN TEXT (google)][Plen Bins: 27,36,6,8,0,1,5,2,6,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
27 changes: 27 additions & 0 deletions tests/cfgs/dns_sub_enable/result/dns_retransmissions.pcap.out
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
DPI Packets (UDP): 3 (3.00 pkts/flow)
Confidence DPI : 1 (flows)
Num dissector calls: 1 (1.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache stun: 0/0/0 (insert/search/found)
LRU cache tls_cert: 0/0/0 (insert/search/found)
LRU cache mining: 0/0/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
LRU cache fpc_dns: 1/0/0 (insert/search/found)
Automa host: 3/3 (search/found)
Automa domain: 3/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 1/0 (search/found)
Automa common alpns: 0/0 (search/found)
Patricia risk mask: 2/0 (search/found)
Patricia risk mask IPv6: 0/0 (search/found)
Patricia risk: 1/0 (search/found)
Patricia risk IPv6: 0/0 (search/found)
Patricia protocols: 1/1 (search/found)
Patricia protocols IPv6: 0/0 (search/found)

Microsoft 4 450 1

Safe 4 450 1

1 UDP 37.41.101.140:11892 <-> 208.67.222.222:53 [VLAN: 103][proto: 5.212/DNS.Microsoft][IP: 225/OpenDNS][ClearText][Confidence: DPI][FPC: 5.212/DNS.Microsoft, Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/150 bytes <-> 2 pkts/300 bytes][Goodput ratio: 38/69][0.20 sec][Hostname/SNI: api.msn.com][204.79.197.203][DNS Id: 0xb8e2][PLAIN TEXT (msedge)][Plen Bins: 50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

0 comments on commit f63f050

Please sign in to comment.