[dns-operations] [edmonds at isc.org: nmsg 0.6.2 released]

Robert Edmonds edmonds at isc.org
Tue Apr 27 01:37:25 UTC 2010 

those that aren't on the nmsg-dev mailing list[0] might be interested in
the nmsg 0.6.2 release, which includes a new DNS state tracking module
whose format can be bi-directionally converted to and from pcap.

[0] https://lists.isc.org/mailman/listinfo/nmsg-dev

----- Forwarded message from Robert Edmonds <edmonds at isc.org> -----

Date: Mon, 26 Apr 2010 21:29:39 -0400
From: Robert Edmonds <edmonds at isc.org>
To: nmsg-dev at lists.isc.org
Subject: nmsg 0.6.2 released

ftp://ftp.isc.org/isc/nmsg/nmsg-0.6.2.tar.gz

changes:
[...]
    * new message module: ISC/dnsqr. this message module uses the
      pkt_to_payload msgmod interface and performs DNS specific
      processing. it is also designed to be freely convertible to and
      from the pcap format.

      for TCP and ICMP packets, ISC/dnsqr simply verifies that the
      packet appears to be DNS-related. for TCP, it checks if the source
      or destination port is 53. for ICMP, it checks if the ICMP payload
      contains enough of the original IP and TCP/UDP headers to
      determine if the payload is DNS related. DNS TCP and ICMP packets
      are written verbatim into an ISC/dnsqr message.

      for UDP packets, more advanced processing is performed. outgoing
      queries are cached in a query state table keyed by the tuple of
      <query IP, response IP, query port, response port, DNS ID>. if a
      response arrives matching this tuple, the q-tuple of <query name,
      query type, query class> is compared between the query and
      response and if the q-tuple matches as well, the query and
      response packets will be bound together into a single ISC/dnsqr
      message and output. the 'type' field is set to UDP_QUERY_RESPONSE.

      (if a response lacks a question RR, then the rcode is checked
      against the set of rcodes (FORMERR, SERVFAIL, NOTIMP, REFUSED).
      if so, the response is considered to match. for any other rcode,
      the full 9-tuple must match.)

      if a response arrives and no matching query is found in the query
      state table, the response is output as an ISC/dnsqr message of
      type UDP_UNSOLICITED_RESPONSE.

      if a query is outstanding for more than 30 seconds, the query is
      removed from the state table and output as an ISC/dnsqr message of
      type UDP_UNANSWERED_QUERY. the size of the query state table is
      also strictly bounded, and overflow will cause the oldest
      outstanding query to be prematurely expired.

      ISC/dnsqr performs its own IP reassembly, but unlike the
      reassembly performed by ncaptool and the ISC/ncap message module,
      the original IP fragments are retained in the message. this allows
      for bi-directional conversion to and from the pcap format.
      
      for API programmers, the virtual fields 'query' and 'response' in
      the ISC/dnsqr message module will return the DNS query and
      response messages, automatically performing IP reassembly if
      needed, but the original packets are still available.  a virtual
      field 'dns' is aliased to the 'response' field for compatibility
      with the ISC/ncap module.

      the ISC/dnsqr presentation form (as printed by nmsgtool) includes
      full dig-style decodes of the query and response messages, if
      present.

    * examples/nmsg-dnsqr2pcap: this utility converts an ISC/dnsqr nmsg
      savefile into a DLT_RAW pcap savefile.
[...]
----- End forwarded message -----

-- 
Robert Edmonds
edmonds at isc.org

More information about the dns-operations mailing list