Skip to content

Example DNS parser#163

Open
glaslos wants to merge 4 commits intomainfrom
dns
Open

Example DNS parser#163
glaslos wants to merge 4 commits intomainfrom
dns

Conversation

@glaslos
Copy link
Member

@glaslos glaslos commented Jun 1, 2024

No description provided.

glaslos
glaslos commented Jun 2, 2024
View reviewed changes
config/rules.yaml
Comment on lines +32 to +34
- match: udp dst port 53
type: conn_handler
target: dns
Copy link
Member Author

@glaslos glaslos Jun 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rule to handle all UDP traffic on port 53 with the new DNS handler

glaslos
glaslos commented Jun 2, 2024
View reviewed changes
glutton.go
Comment on lines +177 to +185
con, err := net.DialUDP("udp", dstAddr, srcAddr)
if err != nil {
g.Logger.Error("failed to dial UDP connection", producer.ErrAttr(err))
return
}
defer con.Close()
_, err = con.Write(response)
if err != nil {
g.Logger.Error("failed to send UDP response", producer.ErrAttr(err))
Copy link
Member Author

@glaslos glaslos Jun 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have to create a new outgoing connection. If we send through the UDP listener, we will have the wrong source port.

glaslos
glaslos commented Jun 2, 2024
View reviewed changes
protocols/protocols.go
type TCPHandlerFunc func(ctx context.Context, conn net.Conn, md connection.Metadata) error

type UDPHandlerFunc func(ctx context.Context, srcAddr, dstAddr *net.UDPAddr, data []byte, md connection.Metadata) error
type UDPHandlerFunc func(ctx context.Context, srcAddr, dstAddr *net.UDPAddr, data []byte, md connection.Metadata) ([]byte, error)
Copy link
Member Author

@glaslos glaslos Jun 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UDP handlers now return a byte slice as response to the client.

glaslos
glaslos commented Jun 2, 2024
View reviewed changes
protocols/udp/dns.go
last int64
}

var throttle = map[string]throttleState{}
Copy link
Member Author

@glaslos glaslos Jun 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't want to become a UDP amplification service.

glaslos
glaslos commented Jun 2, 2024
View reviewed changes
protocols/udp/dns.go
Name: name,
Type: q.Type,
Class: q.Class,
TTL: 453,
Copy link
Member Author

@glaslos glaslos Jun 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to make this not fingerprintable

glaslos
glaslos commented Jun 2, 2024
View reviewed changes
protocols/udp/dns.go

switch q.Type {
case dnsmessage.TypeA:
answer.Body = &dnsmessage.AResource{A: [4]byte{127, 0, 0, 1}}
Copy link
Member Author

@glaslos glaslos Jun 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we actually do a DNS lookup instead of localhost? If we resolve anything, it's a dead giveaway.

glaslos
glaslos commented Jun 2, 2024
View reviewed changes
protocols/udp/dns.go
return nil, fmt.Errorf("failed to pack DNS response: %w", err)
}

if err := h.ProduceUDP("dns", srcAddr, dstAddr, md, data[:len(data)%1024], nil); err != nil {
Copy link
Member Author

@glaslos glaslos Jun 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably want to also report the structured message instead of just the raw payload.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@glaslos