Actions
Bug #6400
openlog of DNS answer is in wrong direction
Affected Versions:
Effort:
Difficulty:
Label:
Description
I think we did already discuss this issue but I can still not understand this. In DNS request and answer the source and destination IP are the same. This does not appear to be logic as we are facing communication in opposite direction.
For example, on a pcap replay we have:
{
"timestamp": "2019-07-05T22:10:33.164698+0200",
"flow_id": 425900207853173,
"pcap_cnt": 48630,
"event_type": "dns",
"src_ip": "10.7.5.101",
"src_port": 50643,
"dest_ip": "10.7.5.5",
"dest_port": 53,
"proto": "UDP",
"pkt_src": "wire/pcap",
"ether": {
"src_mac": "00:08:02:1c:47:ae",
"dest_mac": "a4:1f:72:c2:09:6a"
},
"community_id": "1:kTeBZP87R9S9OU6Vd9RX0LnViA8=",
"dns": {
"type": "query",
"id": 62832,
"rrname": "germakhya.xyz",
"rrtype": "A",
"tx_id": 0,
"opcode": 0
}
}
{
"timestamp": "2019-07-05T22:10:33.369515+0200",
"flow_id": 425900207853173,
"pcap_cnt": 48631,
"event_type": "dns",
"src_ip": "10.7.5.101",
"src_port": 50643,
"dest_ip": "10.7.5.5",
"dest_port": 53,
"proto": "UDP",
"pkt_src": "wire/pcap",
"ether": {
"src_mac": "a4:1f:72:c2:09:6a",
"dest_mac": "00:08:02:1c:47:ae"
},
"community_id": "1:kTeBZP87R9S9OU6Vd9RX0LnViA8=",
"dns": {
"version": 2,
"type": "answer",
"id": 62832,
"flags": "8180",
"qr": true,
"rd": true,
"ra": true,
"opcode": 0,
"rrname": "germakhya.xyz",
"rrtype": "A",
"rcode": "NOERROR",
"answers": [
{
"rrname": "germakhya.xyz",
"rrtype": "A",
"ttl": 599,
"rdata": "95.142.46.236"
}
],
"grouped": {
"A": [
"95.142.46.236"
]
}
}
}
And if you look at the ethernet address you can see that they are reverted between the request and the answer. This is not making sense at all.
Actions