config: DNS: add two configuration options

* Enable/disable sub-classification of DNS flows * Enable/disable processing of DNS responses
author: Nardi Ivan <nardi.ivan@gmail.com> 2024-01-10 10:06:03 +0100
committer: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2024-01-18 10:21:24 +0100
commit: c704be1a20d169bea1c55a720421742f09f4aa88 (patch)
tree: a88a79ec47bdd7910385eac1b187607f80e4ff21 /src
parent: 950f209a1736e76ca621a8ffebef9dcd2fa9745d (diff)
3 files changed, 31 insertions, 16 deletions
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
index cf857be23..0de05c817 100644
--- a/src/include/ndpi_private.h
+++ b/src/include/ndpi_private.h
@@ -205,6 +205,9 @@ struct ndpi_detection_module_config_struct {
 
   int stun_opportunistic_tls_enabled;
 
+  int dns_subclassification_enabled;
+  int dns_parse_response_enabled;
+
   int http_parse_response_enabled;
 
   int ookla_aggressiveness;
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index d3282c7da..8e0c8b278 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -10790,6 +10790,9 @@ static const struct cfg_param {
 
   { "stun",          "tls_dissection.enable",                   "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(stun_opportunistic_tls_enabled) },
 
+  { "dns",           "subclassification.enable",                "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(dns_subclassification_enabled) },
+  { "dns",           "process_response.enable",                 "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(dns_parse_response_enabled) },
+
   { "http",          "process_response.enable",                 "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(http_parse_response_enabled) },
 
   { "ookla",         "aggressiveness",                          "0x01", "0", "1", CFG_PARAM_INT, __OFF(ookla_aggressiveness) },
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 8bef69461..112c2ad50 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -785,23 +785,30 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
     }
     
     if(len > 0) {
-      ndpi_protocol_match_result ret_match;
+      if(ndpi_struct->cfg.dns_subclassification_enabled) {
+        ndpi_protocol_match_result ret_match;
 
-      ret.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow,
-						     flow->host_server_name,
-						     strlen(flow->host_server_name),
-						     &ret_match,
+        ret.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow,
+						       flow->host_server_name,
+						       strlen(flow->host_server_name),
+						       &ret_match,
 						     NDPI_PROTOCOL_DNS);
 
+
+        if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN)
+	  ret.master_protocol = checkDNSSubprotocol(s_port, d_port);
+        else
+	  ret.master_protocol = NDPI_PROTOCOL_DNS;
+
+        ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0);
+      } else {
+        ret.master_protocol = checkDNSSubprotocol(s_port, d_port);
+        ret.app_protocol = NDPI_PROTOCOL_UNKNOWN;
+      }
+
       /* Category is always NDPI_PROTOCOL_CATEGORY_NETWORK, regardless of the subprotocol */
       flow->category = NDPI_PROTOCOL_CATEGORY_NETWORK;
 
-      if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN)
-	ret.master_protocol = checkDNSSubprotocol(s_port, d_port);
-      else
-	ret.master_protocol = NDPI_PROTOCOL_DNS;
-
-      ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0);
     }
 
     /* Report if this is a DNS query or reply */
@@ -811,11 +818,13 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
       /* In this case we say that the protocol has been detected just to let apps carry on with their activities */
       ndpi_set_detected_protocol(ndpi_struct, flow, ret.app_protocol, ret.master_protocol, NDPI_CONFIDENCE_DPI);
 
-      /* We have never triggered extra-dissection for LLMNR. Keep the old behaviour */
-      if(ret.master_protocol != NDPI_PROTOCOL_LLMNR) {
-        /* Don't use just 1 as in TCP DNS more packets could be returned (e.g. ACK). */
-        flow->max_extra_packets_to_check = 5;
-        flow->extra_packets_func = search_dns_again;
+      if(ndpi_struct->cfg.dns_parse_response_enabled) {
+        /* We have never triggered extra-dissection for LLMNR. Keep the old behaviour */
+        if(ret.master_protocol != NDPI_PROTOCOL_LLMNR) {
+          /* Don't use just 1 as in TCP DNS more packets could be returned (e.g. ACK). */
+          flow->max_extra_packets_to_check = 5;
+          flow->extra_packets_func = search_dns_again;
+	}
       }
       return; /* The response will set the verdict */
     }
author	Nardi Ivan <nardi.ivan@gmail.com>	2024-01-10 10:06:03 +0100
committer	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2024-01-18 10:21:24 +0100
commit	c704be1a20d169bea1c55a720421742f09f4aa88 (patch)
tree	a88a79ec47bdd7910385eac1b187607f80e4ff21 /src
parent	950f209a1736e76ca621a8ffebef9dcd2fa9745d (diff)