1
1
mirror of https://github.com/wader/fq.git synced 2024-11-29 23:27:12 +03:00
fq/format/dns/dns.go
Mattias Wadman 8e0dde03d0 decode: Support multiple format args and some rename and refactor
This will allow passing both cli options and format options to sub decoder.
Ex: pass keylog option to a tls decoder when decoding a pcap.
Ex: pass decode options to a format inside a http body inside a pcap.

Add ArgAs method to lookup argument based on type. This also makes the format
decode function have same signature as sub decoders in the decode API.

This change decode.Format a bit:
DecodeFn is now just func(d *D) any
DecodeInArg renamed to DefaultInArg
2023-02-18 21:38:51 +01:00

272 lines
8.0 KiB
Go

package dns
// https://datatracker.ietf.org/doc/html/rfc1035
// https://github.com/Forescout/namewreck/blob/main/rfc/draft-dashevskyi-dnsrr-antipatterns-00.txt
import (
"net"
"strings"
"github.com/wader/fq/format"
"github.com/wader/fq/pkg/decode"
"github.com/wader/fq/pkg/interp"
"github.com/wader/fq/pkg/scalar"
)
func init() {
interp.RegisterFormat(decode.Format{
Name: format.DNS,
Description: "DNS packet",
Groups: []string{format.UDP_PAYLOAD},
DecodeFn: dnsUDPDecode,
})
}
const (
classIN = 1
)
var classNames = scalar.UintRangeToScalar{
{Range: [2]uint64{0x0000, 0x0000}, S: scalar.Uint{Sym: "reserved", Description: "Reserved"}},
{Range: [2]uint64{classIN, classIN}, S: scalar.Uint{Sym: "in", Description: "Internet"}},
{Range: [2]uint64{0x0002, 0x0002}, S: scalar.Uint{Sym: "unassigned", Description: "Unassigned"}},
{Range: [2]uint64{0x0003, 0x0003}, S: scalar.Uint{Sym: "chaos", Description: "Chaos"}},
{Range: [2]uint64{0x0004, 0x0004}, S: scalar.Uint{Sym: "hesiod", Description: "Hesiod"}},
{Range: [2]uint64{0x0005, 0x00fd}, S: scalar.Uint{Sym: "unassigned", Description: "Unassigned"}},
{Range: [2]uint64{0x00fe, 0x00fe}, S: scalar.Uint{Sym: "qclass_none", Description: "QCLASS NONE"}},
{Range: [2]uint64{0x00ff, 0x00ff}, S: scalar.Uint{Sym: "qclass_any", Description: "QCLASS ANY"}},
{Range: [2]uint64{0x0100, 0xfeff}, S: scalar.Uint{Sym: "unassigned", Description: "Unassigned"}},
{Range: [2]uint64{0xff00, 0xfffe}, S: scalar.Uint{Sym: "private", Description: "Reserved for Private Use"}},
{Range: [2]uint64{0xffff, 0xffff}, S: scalar.Uint{Sym: "reserved", Description: "Reserved"}},
}
const (
typeA = 1
typeNS = 2
typeCNAME = 5
typeSOA = 6
typePTR = 12
typeTXT = 16
typeAAAA = 28
)
var typeNames = scalar.UintMapSymStr{
typeA: "a",
typeAAAA: "aaaa",
18: "afsdb",
42: "apl",
257: "caa",
60: "cdnskey",
59: "cds",
37: "cert",
typeCNAME: "cname",
62: "csync",
49: "dhcid",
32769: "dlv",
39: "dname",
48: "dnskey",
43: "ds",
108: "eui48",
109: "eui64",
13: "hinfo",
55: "hip",
45: "ipseckey",
25: "key",
36: "kx",
29: "loc",
15: "mx",
35: "naptr",
typeNS: "ns",
47: "nsec",
50: "nsec3",
51: "nsec3_param",
61: "openpgp_key",
typePTR: "ptr",
46: "rrsig",
17: "rp",
24: "sig",
53: "smimea",
typeSOA: "soa",
33: "srv",
44: "sshfp",
32768: "ta",
249: "tkey",
52: "tlsa",
250: "tsig",
typeTXT: "txt",
256: "uri",
63: "zonemd",
64: "svcb",
65: "https",
}
var rcodeNames = scalar.UintMap{
0: {Sym: "no_error", Description: "No error"},
1: {Sym: "form_err", Description: "Format error"},
2: {Sym: "serv_fail", Description: "Server failure"},
3: {Sym: "nx_domain", Description: "Non-Existent Domain"},
4: {Sym: "no_tiimpl", Description: "Not implemented"},
5: {Sym: "refused", Description: "Refused"},
6: {Sym: "yx_domain", Description: "DescriptionName Exists when it should not"}, // RFC 2136
7: {Sym: "yxrr_set", Description: "RR Set Exists when it should not"}, // RFC 2136
8: {Sym: "nxrr_set", Description: "RR Set that should exist does not"}, // RFC 2136
9: {Sym: "not_auth", Description: "Server Not Authoritative for zone"}, // RFC 2136
10: {Sym: "not_zone", Description: "Name not contained in zone"}, // RFC 2136
// collision in RFCs
// 16: {Sym: "badvers", Description: "Bad OPT Version"}, // RFC 2671
16: {Sym: "bad_sig", Description: "TSIG Signature Failure"}, // RFC 2845
17: {Sym: "bad_key", Description: "Key not recognized"}, // RFC 2845
18: {Sym: "bad_time", Description: "Signature out of time window"}, // RFC 2845
19: {Sym: "bad_mode", Description: "Bad TKEY Mode"}, // RFC 2930
20: {Sym: "bad_name", Description: "Duplicate key name"}, // RFC 2930
21: {Sym: "bad_alg", Description: "Algorithm not supported"}, // RFC 2930
}
func decodeAStr(d *decode.D) string {
return net.IP(d.BytesLen(4)).String()
}
func decodeAAAAStr(d *decode.D) string {
return net.IP(d.BytesLen(16)).String()
}
func fieldDecodeLabel(d *decode.D, pointerOffset int64, name string) {
var endPos int64
const maxJumps = 100
jumpCount := 0
d.FieldStruct(name, func(d *decode.D) {
var ls []string
d.FieldArray("labels", func(d *decode.D) {
seenTermintor := false
for !seenTermintor {
d.FieldStruct("label", func(d *decode.D) {
if d.PeekBits(2) == 0b11 {
d.FieldU2("is_pointer")
pointer := d.FieldU14("pointer")
if endPos == 0 {
endPos = d.Pos()
}
jumpCount++
if jumpCount > maxJumps {
d.Fatalf("label has more than %d jumps", maxJumps)
}
d.SeekAbs(int64(pointer)*8 + pointerOffset)
}
l := d.FieldU8("length")
if l == 0 {
seenTermintor = true
return
}
ls = append(ls, d.FieldUTF8("value", int(l)))
})
}
})
d.FieldValueStr("value", strings.Join(ls, "."))
})
if endPos != 0 {
d.SeekAbs(endPos)
}
}
func dnsDecodeRR(d *decode.D, pointerOffset int64, resp bool, count uint64, name string, structName string) {
d.FieldArray(name, func(d *decode.D) {
for i := uint64(0); i < count; i++ {
d.FieldStruct(structName, func(d *decode.D) {
fieldDecodeLabel(d, pointerOffset, "name")
typ := d.FieldU16("type", typeNames)
class := d.FieldU16("class", classNames)
if resp {
d.FieldU32("ttl")
rdLength := d.FieldU16("rdlength")
d.FramedFn(int64(rdLength)*8, func(d *decode.D) {
// TODO: all only for classIN?
switch {
case class == classIN && typ == typeA:
d.FieldStrFn("address", decodeAStr)
case typ == typeNS:
fieldDecodeLabel(d, pointerOffset, "ns")
case typ == typeCNAME:
fieldDecodeLabel(d, pointerOffset, "cname")
case typ == typeSOA:
fieldDecodeLabel(d, pointerOffset, "mname")
fieldDecodeLabel(d, pointerOffset, "rname")
d.FieldU32("serial")
d.FieldU32("refresh")
d.FieldU32("retry")
d.FieldU32("expire")
d.FieldU32("minimum")
case typ == typePTR:
fieldDecodeLabel(d, pointerOffset, "ptr")
case typ == typeTXT:
var ss []string
d.FieldStruct("txt", func(d *decode.D) {
d.FieldArray("strings", func(d *decode.D) {
for !d.End() {
ss = append(ss, d.FieldUTF8ShortString("string"))
}
})
d.FieldValueStr("value", strings.Join(ss, ""))
})
case class == classIN && typ == typeAAAA:
d.FieldStrFn("address", decodeAAAAStr)
default:
d.FieldUTF8("rdata", int(rdLength))
}
})
}
})
}
})
}
func dnsDecode(d *decode.D, hasLengthHeader bool) any {
pointerOffset := int64(0)
d.FieldStruct("header", func(d *decode.D) {
if hasLengthHeader {
pointerOffset = 16
d.FieldU16("length")
}
d.FieldU16("id")
d.FieldU1("qr", scalar.UintMapSymStr{
0: "query",
1: "response",
})
d.FieldU4("opcode", scalar.UintMapSymStr{
0: "query",
1: "iquery",
2: "status",
4: "notify", // RFC 1996
5: "update", // RFC 2136
})
d.FieldBool("authoritative_answer")
d.FieldBool("truncation")
d.FieldBool("recursion_desired")
d.FieldBool("recursion_available")
d.FieldU3("z")
d.FieldU4("rcode", rcodeNames)
})
qdCount := d.FieldU16("qd_count")
anCount := d.FieldU16("an_count")
nsCount := d.FieldU16("ns_count")
arCount := d.FieldU16("ar_count")
dnsDecodeRR(d, pointerOffset, false, qdCount, "questions", "question")
dnsDecodeRR(d, pointerOffset, true, anCount, "answers", "answer")
dnsDecodeRR(d, pointerOffset, true, nsCount, "nameservers", "nameserver")
dnsDecodeRR(d, pointerOffset, true, arCount, "additionals", "additional")
return nil
}
func dnsUDPDecode(d *decode.D) any {
var upi format.UDPPayloadIn
if d.ArgAs(&upi) {
upi.MustIsPort(d.Fatalf, format.UDPPortDomain, format.UDPPortMDNS)
}
return dnsDecode(d, false)
}