DNS: fix parsing of hostname for empty response messages

Author: IvanNardi

src/lib/protocols/dns.c

@@ -706,13 +706,18 @@ static int search_dns_again(struct ndpi_detection_module_struct *ndpi_struct, st
 
 static int process_hostname(struct ndpi_detection_module_struct *ndpi_struct,
                             struct ndpi_flow_struct *flow,
+                            struct ndpi_dns_packet_header *dns_header,
                             ndpi_master_app_protocol *proto) {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   char *dot;
   u_int len, is_mdns, off = sizeof(struct ndpi_dns_packet_header) + (packet->tcp ? 2 : 0);
   char _hostname[256];
   u_int8_t hostname_is_valid;
 
+  /* We try to get hostname only from "standard" query/answer */
+  if(dns_header->num_queries == 0 && dns_header->num_answers == 0)
+    return -1;
+
   proto->master_protocol = checkDNSSubprotocol(ntohs(flow->c_port), ntohs(flow->s_port));
   proto->app_protocol = NDPI_PROTOCOL_UNKNOWN;
 
@@ -803,7 +808,7 @@ static void search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct
     return;
   }
 
-  process_hostname(ndpi_struct, flow, &proto);
+  process_hostname(ndpi_struct, flow, &dns_header, &proto);
 
   off = sizeof(struct ndpi_dns_packet_header) + payload_offset;
 

tests/cfgs/default/result/dns_invert_query.pcapng.out

@@ -24,4 +24,4 @@ DNS	2	134	1
 
 Acceptable                       2 134           1            
 
-	1	UDP 173.147.108.174:18427 <-> 244.187.95.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/78 bytes <-> 1 pkts/56 bytes][Goodput ratio: 46/21][0.00 sec][0.0.0.0][DNS Id: 0x77fc][Risk: ** Error Code **][Risk Score: 10][Risk Info: DNS Error Code NOTIMP][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	UDP 173.147.108.174:18427 <-> 244.187.95.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/78 bytes <-> 1 pkts/56 bytes][Goodput ratio: 46/21][0.00 sec][Hostname/SNI: 216.58.202.4][0.0.0.0][DNS Id: 0x77fc][Risk: ** Error Code **][Risk Score: 10][Risk Info: DNS Error Code NOTIMP][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out

@@ -1,23 +1,23 @@
-Guessed flow protos:	33
+Guessed flow protos:	34
 
 DPI Packets (TCP):	45	(2.14 pkts/flow)
 DPI Packets (UDP):	356	(1.62 pkts/flow)
 DPI Packets (other):	5	(1.00 pkts/flow)
 Confidence Unknown          : 33 (flows)
-Confidence Match by port    : 33 (flows)
-Confidence DPI              : 180 (flows)
-Num dissector calls: 8413 (34.20 diss/flow)
+Confidence Match by port    : 34 (flows)
+Confidence DPI              : 179 (flows)
+Num dissector calls: 8559 (34.79 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
-LRU cache bittorrent: 0/198/0 (insert/search/found)
+LRU cache bittorrent: 0/201/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)
 LRU cache tls_cert:   0/0/0 (insert/search/found)
-LRU cache mining:     0/66/0 (insert/search/found)
+LRU cache mining:     0/67/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
-LRU cache fpc_dns:    0/66/0 (insert/search/found)
-Automa host:          238/0 (search/found)
-Automa domain:        231/0 (search/found)
+LRU cache fpc_dns:    0/67/0 (insert/search/found)
+Automa host:          237/0 (search/found)
+Automa domain:        230/0 (search/found)
 Automa tls cert:      0/0 (search/found)
-Automa risk mask:     125/0 (search/found)
+Automa risk mask:     124/0 (search/found)
 Automa common alpns:  0/0 (search/found)
 Patricia risk mask:   372/0 (search/found)
 Patricia risk mask IPv6: 0/0 (search/found)
@@ -211,7 +211,7 @@ Unrated                         33 4066          33
 	168	UDP 192.168.1.53:2791 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][DNS Id: 0x82eb][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	169	UDP 192.168.1.110:2713 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][0.0.0.0][DNS Id: 0x4cd2][Risk: ** Malformed Packet **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Invalid DNS Query Lenght][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	170	UDP 192.168.1.172:2766 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][DNS Id: 0x7bfd][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	171	UDP 192.168.9.2:2774 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][DNS Id: 0xdae2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	171	UDP 192.168.9.2:2774 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][0.0.0.0][DNS Id: 0xdae2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	172	UDP 192.168.37.115:2758 -> 128.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][0.0.0.0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	173	UDP 192.168.54.2:2829 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][0.0.0.0][DNS Id: 0xd033][Risk: ** Malformed Packet **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Invalid DNS Query Lenght][PLAIN TEXT (cibercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	174	UDP 192.168.79.2:2791 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/86 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][< 1 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][DNS Id: 0x82eb][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]