aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols/dns.c
Commit message (Collapse)AuthorAge
* DNS: `ndpi_match_host_subprotocol()` should be called only onceIvan Nardi9 days
|
* Fix some warnings reported by scan-build (#2851)Ivan Nardi2025-05-25
| | | Close #2807
* A new interface for dissectors registration (#2843)Ivan Nardi2025-05-24
| | | | | | | | | | | | | | | | | | | | | We use `registr_dissector()` instead of `ndpi_set_bitmask_protocol_detection()`. Every file in `src/lib/protocols/*.c` is a dissector. Every dissector can handle multiple protocols. The real goal is this small change: ``` struct call_function_struct { - NDPI_PROTOCOL_BITMASK detection_bitmask; ``` i.e. getting rid of another protocol bitmask: this is mandatory to try to fix #2136 (see also e845e8205b68752c997d05224d8b2fd45acde714) As a nice side effect, we remove a bitmask comparison in the hot function `check_ndpi_detection_func()` TODO: change logging configuration from per-protocol to per-dissector
* Minor simplification on protocol/dissector registration (#2833)Ivan Nardi2025-05-20
|
* FPC: save all addresses from DNS to `fpc_dns` cache (#2792)Ivan Nardi2025-04-10
|
* Improved configuration to enable/disable export of flow risk info (#2780)Ivan Nardi2025-03-25
| | | | Follow-up of f56831336334dddcff00eaf2132e5e0f226f0e32: now the configuration is for flow-risk, not global
* Add configuration parameter to enable/disable export of flow risk info (#2761)Ivan Nardi2025-03-05
| | | | For the most common protocols, avoid creating the string message if we are not going to use it
* DNS: remove never-trigger checkIvan Nardi2025-03-03
| | | | This `if` check is always false
* DNS: rework "extra-dissection" code (#2735)Ivan Nardi2025-02-17
|
* Fix/restore some public defines (#2734)Ivan Nardi2025-02-17
| | | See 6899f6c17 and 9bf513b34
* DNS: fix message parsing (#2732)Ivan Nardi2025-02-16
|
* DNS: fix parsing of hostname for empty response messages (#2731)Ivan Nardi2025-02-16
|
* DNS: rework adding entries to the FPC-DNS cache (#2730)Ivan Nardi2025-02-16
| | | | | Try to populate the FPC-DNS cache using directly the info from the current packet, and not from the metadata saved in `struct ndpi_flow_struct`. This will be important when adding monitoring support
* DNS: improved detection and handling of TCP packets (#2728)Ivan Nardi2025-02-15
|
* DNS: rework code (#2727)Ivan Nardi2025-02-15
|
* DNS: fix dissection (#2726)Ivan Nardi2025-02-15
|
* DNS: set `NDPI_MALFORMED_PACKET` risk if the answer message is invalid (#2724)Ivan Nardi2025-02-15
| | | We already set the same flow risk for invalid request messages
* DNS: rework code parsing responses (#2722)Ivan Nardi2025-02-14
|
* DNS: rework/isolate code to process domain name (#2721)Ivan Nardi2025-02-13
|
* DNS: faster exclusion (#2719)Ivan Nardi2025-02-12
|
* DNS: try to simplify the code (#2718)Ivan Nardi2025-02-12
| | | Set the classification in only one place in the code.
* DNS: fix check for DGA domain (#2716)Ivan Nardi2025-02-11
| | | | If we have a (potential) valid sub-classification, we shoudn't check for DGA, even if the subclassification itself is disabled!
* DNS: evaluate all flow risks even if sub-classification is disabled (#2714)Ivan Nardi2025-02-11
|
* dns: fix writing to `flow->protos.dns`Ivan Nardi2025-02-11
| | | | | We can't write to `flow->protos.dns` until we are sure it is a valid DNS flow
* DNS: fix dissection when there is only the response messageIvan Nardi2025-02-11
|
* DNS: fix extraction of transactionID field (#2703)Ivan Nardi2025-01-31
| | | | | | | | | | | | | | | | | | | | We can't write to `flow->protos.dns` until we are sure this is a valid DNS packet ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==14729==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x60e876372a86 bp 0x000000000000 sp 0x79392fdf90e0 T1) ==14729==The signal is caused by a READ memory access. ==14729==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used. #0 0x60e876372a86 in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) (/home/ivan/svnrepos/nDPI/example/ndpiReader+0x8b0a86) (BuildId: a9c4718bcd5c3947812b6fd704e203b8bb6f633c) #1 0x60e87640b29f in free (/home/ivan/svnrepos/nDPI/example/ndpiReader+0x94929f) (BuildId: a9c4718bcd5c3947812b6fd704e203b8bb6f633c) #2 0x60e87647b0ec in free_wrapper /home/ivan/svnrepos/nDPI/example/ndpiReader.c:348:3 #3 0x60e876865454 in ndpi_free /home/ivan/svnrepos/nDPI/src/lib/ndpi_memory.c:82:7 #4 0x60e8767f0d4f in ndpi_free_flow_data /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6752:2 #5 0x60e8767abd67 in ndpi_free_flow /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:10449:5 ``` Found by oss-fuzz
* Exported DNS transactionIdLuca Deri2025-01-30
|
* DNS: fix relationship between FPC and subclassification (#2702)Ivan Nardi2025-01-30
| | | Allow optimal FPC even if DNS subclassification is disabled
* Add the ability to enable/disable every specific flow risks (#2653)Ivan Nardi2025-01-06
|
* DNS: fix Index-out-of-bounds error (#2644)Ivan Nardi2024-12-13
| | | | | | | | | | | | | ``` Running: /home/ivan/Downloads/clusterfuzz-testcase-minimized-fuzz_ndpi_reader_pl7m_simplest_internal-5759495480868864 protocols/dns.c:482:5: runtime error: index 4 out of bounds for type 'u_int8_t[4]' (aka 'unsigned char[4]') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/dns.c:482:5 protocols/dns.c:483:5: runtime error: index 4 out of bounds for type 'u_int32_t[4]' (aka 'unsigned int[4]') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/dns.c:483:5 protocols/dns.c:490:12: runtime error: index 4 out of bounds for type 'u_int32_t[4]' (aka 'unsigned int[4]') ``` Found by oss-fuzz See: https://issues.oss-fuzz.com/issues/383911300?pli=1
* Implemented (disabled by default) DNS host cache. You can set the cache size ↵Luca Deri2024-10-07
| | | | | | | | | | as follows: ndpiReader --cfg=dpi.address_cache_size,1000 -i <pcap>.pcap In the above example the cache has up to 1000 entries. In jcase ndpiReader exports data in JSON, the cache hostname (if found) is exported in the field server_hostname
* Exports DNS A/AAAA responses (up to 4 addresses)Luca2024-10-02
| | | | Changed the default to IPv4 (used to be IPv6) in case of DNS error response
* dns: add a check before setting `NDPI_MALFORMED_PACKET` risk (#2558)Ivan Nardi2024-09-16
| | | | | | "Invalid DNS Header"-risk should be set only if the flow has been already classified as DNS. Otherwise, almost any non-DNS flows on port 53 will end up having the `NDPI_MALFORMED_PACKET` risk set, which is a little bit confusing for non DNS traffic
* Introduced ndpi_master_app_protocol typedefLuca Deri2024-08-24
|
* FPC: add DNS correlation (#2497)mmanoj2024-07-22
| | | | | | | | | Use DNS information to get a better First Packet Classification. See: #2322 --------- Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
* Improved logic for checking invalid DNS queriesLuca Deri2024-06-23
|
* Domain Classification Improvements (#2396)Luca Deri2024-04-18
| | | | | | | | | | | | | | | | | | | * Added size_t ndpi_compress_str(const char * in, size_t len, char * out, size_t bufsize); size_t ndpi_decompress_str(const char * in, size_t len, char * out, size_t bufsize); used to compress short strings such as domain names. This code is based on https://github.com/Ed-von-Schleck/shoco * Major code rewrite for ndpi_hash and ndpi_domain_classify * Improvements to make sure custom categories are loaded and enabled * Fixed string encoding * Extended SalesForce/Cloudflare domains list
* Disable `-Wno-unused-parameter -Wno-unused-function`. (#2358)Toni2024-04-03
| | | | | * unused parameters and functions pollute the code and decrease readability Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improved alert on suspicious DNS trafficLuca Deri2024-03-05
|
* Normalization of host_server_name (#2299)Vitaly Lavrov2024-02-05
| | | | | | | | | * Normalization of host_server_name The ndpi_hostname_sni_set() function replaces all non-printable characters with the "?" character and removing whitespace characters at the end of the line. * Added conditional hostname normalization.
* config: DNS: add two configuration optionsNardi Ivan2024-01-18
| | | | | * Enable/disable sub-classification of DNS flows * Enable/disable processing of DNS responses
* Fix some warnings reported by CODESonar (#2227)Ivan Nardi2024-01-12
| | | | | | | | | | | | | | | | | | | Remove some unreached/duplicated code. Add error checking for `atoi()` calls. About `isdigit()` and similar functions. The warning reported is: ``` Negative Character Value help isdigit() is invoked here with an argument of signed type char, but only has defined behavior for int arguments that are either representable as unsigned char or equal to the value of macro EOF(-1). Casting the argument to unsigned char will avoid the undefined behavior. In a number of libc implementations, isdigit() is implemented using lookup tables (arrays): passing in a negative value can result in a read underrun. ``` Switching to our macros fix that. Add a check to `check_symbols.sh` to avoid using the original functions from libc.
* Various MDNS flow risks fixesLuca2023-12-21
|
* MDNS fixLuca2023-12-21
|
* Have a clear distinction between public and private/internal API (#2137)Ivan Nardi2023-11-09
| | | | | | 1) Public API/headers in `src/include/` [as it has always been] 2) Private API/headers in `src/lib/` Try to keep the "ndpi_" prefix only for the public functions
* Fix some errors found by fuzzers (#2078)Ivan Nardi2023-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix compilation on Windows. "dirent.h" file has been taken from https://github.com/tronkko/dirent/ Fix Python bindings Fix some warnings with x86_64-w64-mingw32-gcc: ``` protocols/dns.c: In function ‘ndpi_search_dns’: protocols/dns.c:775:41: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast] 775 | unsigned long first_element_len = (unsigned long)dot - (unsigned long)_hostname; | ^ protocols/dns.c:775:62: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast] 775 | unsigned long first_element_len = (unsigned long)dot - (unsigned long)_hostname; | ``` ``` In file included from ndpi_bitmap64.c:31: third_party/include/binaryfusefilter.h: In function ‘binary_fuse8_hash’: third_party/include/binaryfusefilter.h:160:32: error: left shift count >= width of type [-Werror=shift-count-overflow] 160 | uint64_t hh = hash & ((1UL << 36) - 1); ``` ``` In function ‘ndpi_match_custom_category’, inlined from ‘ndpi_fill_protocol_category.part.0’ at ndpi_main.c:7056:16: ndpi_main.c:3419:3: error: ‘strncpy’ specified bound depends on the length of the source argument [-Werror=stringop-overflow=] 3419 | strncpy(buf, name, name_len); ```
* Enhance DNS risk for long hostnames (> 32)Luca Deri2023-09-09
|
* Improved detection of invalid chars in DNS namesLuca Deri2023-09-09
|
* fuzz: extend coverage (#2073)Ivan Nardi2023-08-20
|
* DNS: extract geolocation information, if available (#2065)Ivan Nardi2023-07-31
| | | | | | | The option NSID (RFC5001) is used by Google DNS to report the airport code of the metro where the DNS query is handled. This option is quite rare, but the added overhead in DNS code is pretty much zero for "normal" DNS traffic