5

DNS standard allows for specifying more than 1 question per query (I mean inside single DNS packet). I'm writing Snort plugin for DNS analyzis and I need to test whether it behaves properly when there's DNS query containing multiple questions.

DNS packet structure looks like this:

0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F 
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                      ID                       |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    QDCOUNT                    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    ANCOUNT                    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    NSCOUNT                    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    ARCOUNT                    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|         <ACTUAL QUESTIONS GO HERE>            |
|                                               |
|                     ...                       |
|                                               |

So if QDCOUNT is greater than 1 there can be multiple DNS questions in single query.

How can I perform such query using linux tools? dig domain1.example domain2.example creates just 2 separate queries with 1 question each. host and nslookup seem to allow querying only 1 name at the time.

Patrick Mevzek
  • 10,995
  • 16
  • 38
  • 54
Lapsio
  • 6,384
  • 4
  • 20
  • 26

2 Answers2

9

See this question for the full details: Requesting A and AAAA records in single DNS query

In short, no actually no one today does multiple questions in a single query. This was never clearly defined, and poses a lot of questions (like: there is only a single return code so what do you do for 2 questions if one failed and not the other?).

It would have been useful for people to do A and AAAA queries at the same time (instead of the deprecated ANY) but it basically does not exist today.

Patrick Mevzek
  • 10,995
  • 16
  • 38
  • 54
  • Interesting. It led to more questions than aswered though. If such queries are barely supported by anything I think IPS/IDS should see them as really really suspicious activity or even just plain always drop them without further analysis... – Lapsio Mar 12 '19 at 19:00
  • @Lapsio I think I agree for IDS, at least that is probably suspicious nowadays since no server I suppose will handle them anyway. – Patrick Mevzek Mar 12 '19 at 19:06
  • Interesting. I was wondering why Cloudflare (1.1.1.1.1) and my local ISP does not support ANY DNS queries while Google (8.8.8.8) does. Didn't know that it was deprecated. – lafolle Jul 17 '20 at 20:50
  • 1
    @lafolle: About `ANY` deprecation: https://tools.ietf.org/html/rfc8482 – Patrick Mevzek Jul 17 '20 at 21:36
  • @PatrickMevzek thanks for the followup, thats pretty recent development for ANY query! – lafolle Jul 19 '20 at 14:10
  • Cloudflare was very vocal about it: https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/ (2015) and https://blog.cloudflare.com/what-happened-next-the-deprecation-of-any/ (2016). This gave the RFC written in part by Cloudflare people. – Patrick Mevzek Jul 19 '20 at 14:40
1

You can retrieve all the records from a zone using a single AXFR request, and then parse out the ones you want.

dig @127.0.0.1 domain.com. AXFR

or

nslookup -query=AXFR domain.com 127.0.0.1

Typically AXFR requests are refused except for slave servers, so you will need to whitelist IPs that are allowed to make this request. (In bind this is done with the allow-transfer option).

This won't work for OP's use case of making a snort plugin that checks QDCOUNT but it does kind of solve the problem of sending multiple questions in a single DNS request.

source: serverfault: How to request/acquire all records from a DNS?

ki9
  • 5,183
  • 5
  • 37
  • 48