Refactor, clean-up and address reviews of the first DNS over TCP PR

* Use RFC 1035 'bytes offset' to decode DNS over TCP payloads * Correct Streams management * Improve error management (for Debug and published Notes) * Tests improvement * Split files of ```package dns``` Minor changes: * Change the name of dnsPrivateData to dnsConnectionData to reflect the naming used in other applayers * Split the ```Parse()``` method in multiple functions to comply more with the code convention used in other applayers implementation * Remove a PCAP file from the previous and first DNS over TCP pull request * Introduce a README.md file
elastic · Jan 5, 2016 · 01a9c70 · 01a9c70
1 parent adffd8d
commit 01a9c70
Show file tree

Hide file tree

Showing 9 changed files with 1,534 additions and 1,218 deletions.
diff --git a/packetbeat/protos/dns/README.md b/packetbeat/protos/dns/README.md
@@ -0,0 +1,43 @@
+#### UDP
+
+**Parsing**
+
+1. Attempt to decode each UDP packet.
+2. If it succeeds, a transaction is sent.
+
+**Error management**
+* Debug information is printed if:
+  * A packet fails to decode.
+
+* Error Notes are published if:
+  * Never
+
+#### TCP
+
+**Parsing**
+
+1. Fetch the first two bytes of a message containing the length of the message ([RFC 1035](https://www.ietf.org/rfc/rfc1035.txt)).
+2. Fill the buffer ```DnsStream.rawData``` with each new ```Parse```.
+3. Once the buffer has the expected length (first two bytes), it is decoded and the message is published.
+
+**Error management**
+* Debug information is printed if:
+  * A message has an unexpected length at any point of the transmission (```Parse```, ```GapInStream```, ```ReceivedFin```).
+  * A message fails to decode.
+
+* Error Notes are published if:
+  * A response following a request (```dnsConnectionData.prevRequest```) fails to decode.
+  * A response following a request (```dnsConnectionData.prevRequest```) has an unexpected length at any point of the transmission (```Parse```, ```GapInStream```, ```ReceivedFin```).
+
+When response error Notes are linked to the previous request, the transaction is then published and removed from the cache (see ```publishResponseError()```).
+
+#### TODO
+
+**General**
+* Publish an event with Notes when a Query or a lone Response cannot be decoded.
+* Add EDNS and DNSSEC support (consider using miekg/dns instead
+  of gopacket).
+* Consider adding ICMP support to
+     - correlate ICMP type 3, code 4 (datagram too big) with DNS messages,
+     - correlate ICMP type 3, code 13 (administratively prohibited) or
+       ICMP type 3, code 3 (port unreachable) with blocked DNS messages.