The DNS Preprocessor
Note | This section applies to Snort 2 preprocessors. For information on Snort 3 inspectors, see https://www.cisco.com/go/snort3-inspectors. |
The DNS preprocessor inspects DNS name server responses for the following specific exploits:
-
Overflow attempts on RData text fields
-
Obsolete DNS resource record types
-
Experimental DNS resource record types
The most common type of DNS name server response provides one or more IP addresses that correspond to domain names in the query that prompted the response. Other types of server responses provide, for example, the destination of an email message or the location of a name server that can provide information not available from the server originally queried.
A DNS response is comprised of:
-
a message header
-
a Question section that contains one or more requests
-
three sections that respond to requests in the Question section
-
Answer
-
Authority
-
Additional Information.
-
Responses in these three sections reflect the information in resource records (RR) maintained on the name server. The following table describes these three sections.
This section... |
Includes... |
For example... |
---|---|---|
Answer |
Optionally, one or more resource records that provide a specific answer to a query |
The IP address corresponding to a domain name |
Authority |
Optionally, one or more resource records that point to an authoritative name server |
The name of an authoritative name server for the response |
Additional Information |
Optionally, one or more resource records that provided additional information related to the Answer sections |
The IP address of another server to query |
There are many types of resource records, all adhering to the following structure:
Theoretically, any type of resource record can be used in the Answer, Authority, or Additional Information section of a name server response message. The DNS preprocessor inspects any resource record in each of the three response sections for the exploits it detects.
The Type and RData resource record fields are of particular importance to the DNS preprocessor. The Type field identifies the type of resource record. The RData (resource data) field provides the response content. The size and content of the RData field differ depending on the type of resource record.
DNS messages typically use the UDP transport protocol but also use TCP when the message type requires reliable delivery or the message size exceeds UDP capabilities. The DNS preprocessor inspects DNS server responses in both UDP and TCP traffic.
The DNS preprocessor does not inspect TCP sessions picked up in midstream, and ceases inspection if a session loses state because of dropped packets.