1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

// Borrowed from https://github.com/rusticata/rusticata/blob/master/src/dns_udp.rs
//! DNS transaction parser.
//!
//! The DNS transaction parser uses a [fork](https://github.com/thegwan/dns-parser) of the
//! [dns-parser](https://docs.rs/dns-parser/latest/dns_parser/) crate to parse DNS queries and
//! responses. It maintains state for tracking outstanding queries and linking query/response pairs.
//!
//! Adapted from [the Rusticata DNS
//! parser](https://github.com/rusticata/rusticata/blob/master/src/dns_udp.rs).

use super::transaction::{DnsQuery, DnsResponse};
use super::Dns;
use crate::conntrack::pdu::L4Pdu;
use crate::protocols::stream::{
    ConnParsable, ParseResult, ParsingState, ProbeResult, Session, SessionData,
};

use std::collections::HashMap;

#[derive(Default, Debug)]
pub struct DnsParser {
    /// Maps session ID to DNS transaction
    sessions: HashMap<usize, Dns>,
    /// Total sessions ever seen (Running session ID)
    cnt: usize,
}

impl ConnParsable for DnsParser {
    fn parse(&mut self, pdu: &L4Pdu) -> ParseResult {
        let offset = pdu.offset();
        let length = pdu.length();
        if length == 0 {
            return ParseResult::Skipped;
        }

        if let Ok(data) = (pdu.mbuf_ref()).get_data_slice(offset, length) {
            self.process(data)
        } else {
            log::warn!("Malformed packet");
            ParseResult::Skipped
        }
    }

    fn probe(&self, pdu: &L4Pdu) -> ProbeResult {
        let dst_port = pdu.ctxt.dst.port();
        let src_port = pdu.ctxt.src.port();
        if src_port == 137 || dst_port == 137 {
            // NetBIOS NBSS looks like DNS, but parser will fail on labels
            return ProbeResult::NotForUs;
        }
        let offset = pdu.offset();
        let length = pdu.length();
        if pdu.length() == 0 {
            return ProbeResult::Unsure;
        }

        if let Ok(data) = (pdu.mbuf).get_data_slice(offset, length) {
            match dns_parser::Packet::parse(data) {
                Ok(packet) => {
                    if packet.header.query {
                        if packet.questions.is_empty() {
                            return ProbeResult::NotForUs;
                        }
                    } else if packet.answers.is_empty() {
                        return ProbeResult::NotForUs;
                    }
                    ProbeResult::Certain
                }
                _ => ProbeResult::NotForUs,
            }
        } else {
            log::warn!("Malformed packet");
            ProbeResult::Error
        }
    }

    fn remove_session(&mut self, session_id: usize) -> Option<Session> {
        self.sessions.remove(&session_id).map(|dns| Session {
            data: SessionData::Dns(Box::new(dns)),
            id: session_id,
        })
    }

    fn drain_sessions(&mut self) -> Vec<Session> {
        self.sessions
            .drain()
            .map(|(session_id, dns)| Session {
                data: SessionData::Dns(Box::new(dns)),
                id: session_id,
            })
            .collect()
    }

    fn session_parsed_state(&self) -> ParsingState {
        ParsingState::Parsing
    }
}

impl DnsParser {
    pub(crate) fn process(&mut self, data: &[u8]) -> ParseResult {
        match dns_parser::Packet::parse(data) {
            Ok(pkt) => {
                if pkt.header.query {
                    log::debug!("DNS query");
                    let query = DnsQuery::parse_query(&pkt);
                    let query_id = pkt.header.id;
                    for (session_id, dns) in self.sessions.iter_mut() {
                        if query_id == dns.transaction_id {
                            if dns.response.is_some() {
                                dns.query = Some(query);
                                return ParseResult::Done(*session_id);
                            }
                            break;
                        }
                    }
                    let dns = Dns {
                        transaction_id: query_id,
                        query: Some(query),
                        response: None,
                    };
                    let session_id = self.cnt;
                    self.cnt += 1;
                    self.sessions.insert(session_id, dns);
                    ParseResult::Continue(session_id)
                } else {
                    log::debug!("DNS answer");
                    let response = DnsResponse::parse_response(&pkt);
                    let answer_id = pkt.header.id;
                    for (session_id, dns) in self.sessions.iter_mut() {
                        if answer_id == dns.transaction_id {
                            if dns.query.is_some() {
                                dns.response = Some(response);
                                return ParseResult::Done(*session_id);
                            }
                            break;
                        }
                    }
                    let dns = Dns {
                        transaction_id: answer_id,
                        query: None,
                        response: Some(response),
                    };
                    let session_id = self.cnt;
                    self.cnt += 1;
                    self.sessions.insert(session_id, dns);
                    ParseResult::Continue(session_id)
                }
            }
            e => {
                log::debug!("parse error: {:?}", e);
                ParseResult::Skipped
            }
        }
    }
}