Exports DNS A/AAAA responses (up to 4 addresses)

Changed the default to IPv4 (used to be IPv6) in case of DNS error response

3 files changed, 18 insertions, 11 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 1973bd981..6116bc453 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1207,6 +1207,7 @@ typedef enum {
 } ndpi_cipher_weakness;
 
 #define MAX_NUM_TLS_SIGNATURE_ALGORITHMS 16
+#define MAX_NUM_DNS_RSP_ADDRESSES         4
 
 typedef struct {
   union {
@@ -1343,10 +1344,12 @@ struct ndpi_flow_struct {
   union {
     /* the only fields useful for nDPI and ntopng */
     struct {
-      u_int8_t num_queries, num_answers, reply_code;
-      u_int8_t is_query:1, is_rsp_addr_ipv6:1, pad:6;
+      u_int8_t num_queries, num_answers, reply_code, num_rsp_addr;
+      u_int8_t is_query:1, pad:7;
       u_int16_t query_type, query_class, rsp_type, edns0_udp_payload_size;
-      ndpi_ip_addr_t rsp_addr; /* The first address in a DNS response packet (A and AAAA) */
+      u_int8_t is_rsp_addr_ipv6[MAX_NUM_DNS_RSP_ADDRESSES];
+      ndpi_ip_addr_t rsp_addr[MAX_NUM_DNS_RSP_ADDRESSES]; /* The first num_rsp_addr address in a DNS response packet (A and AAAA) */
+      u_int32_t rsp_addr_ttl[MAX_NUM_DNS_RSP_ADDRESSES];
       char geolocation_iata_code[4];
       char ptr_domain_name[64 /* large enough but smaller than { } tls */];
     } dns;
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index ef5bab840..ecb939605 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -7483,10 +7483,10 @@ static u_int64_t make_fpc_dns_cache_key(struct ndpi_flow_struct *flow) {
 u_int64_t fpc_dns_cache_key_from_dns_info(struct ndpi_flow_struct *flow) {
   u_int64_t key;
 
-  if(flow->protos.dns.is_rsp_addr_ipv6)
-    key = ndpi_quick_hash64((const char *)&flow->protos.dns.rsp_addr.ipv6, 16);
+  if(flow->protos.dns.is_rsp_addr_ipv6[0])
+    key = ndpi_quick_hash64((const char *)&flow->protos.dns.rsp_addr[0].ipv6, 16);
   else
-    key = (u_int64_t)(flow->protos.dns.rsp_addr.ipv4);
+    key = (u_int64_t)(flow->protos.dns.rsp_addr[0].ipv4);
 
   return key;
 }
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 4e3b09d5b..8a6e2d1a8 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -445,6 +445,8 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
 	  
 	  /* x points to the response "class" field */
 	  if((x+12) <= packet->payload_packet_len) {
+	    u_int32_t ttl = ntohl(*((u_int32_t*)&packet->payload[x+2]));
+	    
 	    x += 6;
 	    data_len = get16(&x, packet->payload);
 
@@ -473,16 +475,18 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
 			 || ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */
 			 )) {
 		if(found == 0) {
-		  memcpy(&flow->protos.dns.rsp_addr, packet->payload + x, data_len);
-		  flow->protos.dns.is_rsp_addr_ipv6 = (data_len == 16) ? 1 : 0;
-		  found = 1;
+		  memcpy(&flow->protos.dns.rsp_addr[flow->protos.dns.num_rsp_addr], packet->payload + x, data_len);
+		  flow->protos.dns.is_rsp_addr_ipv6[flow->protos.dns.num_rsp_addr] = (data_len == 16) ? 1 : 0;
+		  flow->protos.dns.rsp_addr_ttl[flow->protos.dns.num_rsp_addr] = ttl;
+		  if(++flow->protos.dns.num_rsp_addr == MAX_NUM_DNS_RSP_ADDRESSES)
+		    found = 1;
 		}
 	      }
-
+	      
 	      x += data_len;
 	    }
 	  }
-
+	  
 	  if(found && (dns_header->additional_rrs == 0)) {
 	    /*
 	      In case we have RR we need to iterate