Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

first imp for dns reverse lookup name parsing and resolution #2

Merged
Prev Previous commit
Next Next commit
indenting changes
hl33ta committed Jul 7, 2022
commit 781466b296450ac809b440f9dedb790009f89771
44 changes: 22 additions & 22 deletions src/lib/protocols/dns.c
Original file line number Diff line number Diff line change
@@ -315,28 +315,28 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
)) {
memcpy(&flow->protos.dns.rsp_addr, packet->payload + x, data_len);
}
else if (rsp_type == 0x0c)
{
// reverse dns lookup responses can have an address section and a domain name section
// since we already have the address from the query we just need the domain name
int section_len = packet->payload[x]; // get 1st segment len
if (packet->payload[x+1] >= 0x30 && packet->payload[x+1] <= 0x39)
{
x += section_len +1; // skip segment len + address field
data_len -= section_len + 1; // adjust data_len for copying
}
// if block to remove the next segment length from the front of the string
if (data_len > 0)
{
x++;
data_len--;
}

if (data_len > 32)
memcpy(&flow->protos.dns.answer_domain, packet->payload + x, 32);
else
memcpy(&flow->protos.dns.answer_domain, packet->payload + x, data_len);
}
else if (rsp_type == 0x0c)
{
// reverse dns lookup responses can have an address section and a domain name section
// since we already have the address from the query we just need the domain name
int section_len = packet->payload[x]; // get 1st segment len

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per RFC-1035, 3.1, it sounds like these groups are called labels, so this is likely a label length in octets.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any other existing nDPI code elsewhere that extracts domain names? If so, it might be possible to follow those conventions or re-use existing code.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nDPI functions seem primarily to handle the query name so creating a similar function(s) for various answer types based on their format make sense here as we get more use cases for this parsing

if (packet->payload[x+1] >= 0x30 && packet->payload[x+1] <= 0x39)
{
x += section_len +1; // skip segment len + address field
data_len -= section_len + 1; // adjust data_len for copying
}
// if block to remove the next segment length from the front of the string
if (data_len > 0)
{
x++;
data_len--;
}

if (data_len > 32)
memcpy(&flow->protos.dns.answer_domain, packet->payload + x, 32);
else
memcpy(&flow->protos.dns.answer_domain, packet->payload + x, data_len);
}
}
}