7.9. Dns¶

Dns dissector module.

Usage:

local dns = require('protocol/dns')

7.9.1. Dissector¶

dissector DnsDissector¶

Name :	`'dns'`
Extend :	`haka.helper.FlowDissector`

Dissector for the DNS protocol.

7.9.2. Protocol elements¶

object dns.DnsResult¶

DNS message.

<DnsDissector>.id¶

<DnsDissector>.qr¶

<DnsDissector>.opcode¶

<DnsDissector>.aa¶

<DnsDissector>.tc¶

<DnsDissector>.rd¶

<DnsDissector>.ra¶

<DnsDissector>.rcode¶

<DnsDissector>.qdcount¶

<DnsDissector>.ancount¶

<DnsDissector>.nscount¶

<DnsDissector>.arcount¶

Type:	number

DNS fields as defined by RFC 1035.

<DnsDissector>.question¶

Type:	`DnsQuestionRecord` array

DNS Question.

<DnsDissector>.answer¶

<DnsDissector>.authority¶

<DnsDissector>.additional¶

Type:	`DnsResourceRecord` array

DNS answer, authority and additional informations.

<DnsDissector>:drop()¶: Drop the DNS message.

object DnsQuestionRecord¶

Question record as defined by RFC 1035.

<DnsQuestionRecord>.name¶
<DnsQuestionRecord>.type¶
<DnsQuestionRecord>.class¶: DNS question record fields as defined by RFC 1035.

object DnsResourceRecord¶

Resource record as defined by RFC 1035.

<DnsResourceRecord>.name¶
<DnsResourceRecord>.type¶
<DnsResourceRecord>.class¶
<DnsResourceRecord>.ttl¶
<DnsResourceRecord>.length¶: DNS resource record fields as defined by RFC 1035.

Note

The following fields may be present depending on <DnsResourceRecord>.type.

<DnsResourceRecord>.ip¶

Type:	`addr`

IPv4 object.

<DnsResourceRecord>.name

Type:	string

Domain name as a string.

7.9.3. Events¶

event dns.events.query(dns, query)¶

Parameters:	dns (`DnsDissector`) – DNS dissector. query (`DnsResult`) – Dns query message.

Event triggered whenever a new HTTP request is received.

event dns.events.response(dns, response, query)¶

Parameters:	dns (`DnsDissector`) – DNS dissector. response (`DnsResult`) – Dns response message. query (`DnsResult`) – Dns query message associated with the response.

Event triggered whenever a new HTTP response is received.

7.9.4. Example¶

-- This Source Code Form is subject to the terms of the Mozilla Public
-- License, v. 2.0. If a copy of the MPL was not distributed with this
-- file, You can obtain one at http://mozilla.org/MPL/2.0/.

local dns = require("protocol/dns")

dns.install_udp_rule(53)

local function alert_pdns(array)
    for _, a in ipairs(array) do
        if a.type == "A" then
            haka.alert{
                description = string.format("PDNS: %s -> %s", a.name, a.ip),
            }
        end
    end
end

haka.rule {
    hook = dns.events.response,
    eval = function (dns, response)
        alert_pdns(response.answer)
        alert_pdns(response.additional)
    end
}

Haka

Software Defined Security

7.9. Dns¶

7.9.1. Dissector¶

7.9.2. Protocol elements¶

7.9.3. Events¶

7.9.4. Example¶