[dns-operations] A quick question for my peers re: 'dnscap'

Jake Zack jake.zack at cira.ca
Fri Feb 2 20:54:58 UTC 2018 

Robert and I took this discussion off-list briefly.

He had me turn on dumptrace (-d flag) to analyze the BPF expression being used....

> dnscap: "( ( ip[6:2] & 0x1fff != 0 or ip6[6] = 44 ) or ( ( ( tcp port 53 ) or ( udp port 53) )  and host ( 2001:500:a7::2 or 199.4.144.2 )) )"

Which he eloquently explains as:

<paste>
Nah, the host expression is fine. When you format the expression for
legibility the problem is apparent:

    (
        ( ip[6:2] & 0x1fff != 0 or ip6[6] = 44 )
        or
        (
            ( ( tcp port 53 ) or ( udp port 53) )
            and host ( 2001:500:a7::2 or 199.4.144.2 )
        )
    )

In English this is saying "(any IPv4/IPv6 fragments) or (your host and
tcp/udp port 53)".

It probably needs to be saying "(your host and any IPv4/IPv6 fragments)
or (your host and tcp/udp port 53)". Or maybe even just "(your host) and
((any IPv4/IPv6 fragments) or (tcp/udp port 53)".
</paste>

So I guess I'm asking the community now if this is worth a bug report and/or feature request...

...and further, to gather opinions on the question "If an IP fragment contains no question, but acknowledges the asking of a question from a particular source, is that still private data that will run the risk of running afoul of various privacy laws?

Thanks all,
-Jacob Zack
DNS Architect - CIRA (.CA TLD)


-----Original Message-----
From: Robert Edmonds [mailto:edmonds at mycre.ws] 
Sent: February-02-18 3:08 PM
To: Jake Zack <jake.zack at cira.ca>
Cc: dns-operations at dns-oarc.net
Subject: Re: [dns-operations] A quick question for my peers re: 'dnscap'

Jake Zack wrote:
> However, when I attempt to verify that I'm not leaking customer data, I see:
> [root at col01 scripts]# tcpdump -nr 
> /tmp/col01.lhr.ca-servers.ca.20180202.185721.945211 not host 
> 199.4.144.2 and not host 2001:500:A7::2 |grep 185.159.197.1 |head -5 
> reading from file /tmp/col01.lhr.ca-servers.ca.20180202.185721.945211, 
> link-type RAW (Raw IP)
> 13:57:22.020123 IP 185.159.197.100 > 188.166.18.244: udp
> 13:57:22.058056 IP 185.159.197.100 > 138.68.93.203: udp
> 13:57:22.192434 IP 185.159.197.100 > 207.154.216.38: udp
> 13:57:22.281961 IP 185.159.197.100 > 138.68.180.5: udp
> 13:57:22.317448 IP 185.159.197.100 > 138.68.180.5: udp
> 
> If anyone can spot what I'm doing wrong, offer advice, and/or replicate my findings...please let me know.

Hi, Jake:

Why isn't tcpdump decoding those UDP packets with its DNS dissector? Are those non-initial fragments?

--
Robert Edmonds

More information about the dns-operations mailing list