search

Packet-Clearing-House / DNSAuth

Go-lang app to aggregate DNS queries to 1 minute buckets and write them to influxdb
MIT License
2 stars 2 forks source link

Distilled zone isn't recorded, lookups based off zone fail #9

Closed mrjones-plip closed 6 years ago

mrjones-plip commented 6 years ago

One of the new features we wanted to release with 1.1.0 is that when the customer was resolved in the zones table, it would also record the distilled zone to influxdb. This is not happening when testing with 1.1.0.

Steps to reproduce:

  1. load the default mysql dataset from the customers.sql file in this repo
  2. empty your influxdb table: drop series from dnsauth_queries
  3. create a file called SZC_mon-01.fra.testnet.net_2017-05-17.17-07.dmp with the following contents: 
    Q 32.57.89.19 1.2.3.4 1 0 1 foo.auction.com 67
R 32.57.89.19 1.2.3.4 1 0 1 foo.auction.com 686 2
Q 201.77.156.94 1.2.3.4 0 0 5 quux.test.com 66
R 201.77.156.94 1.2.3.4 0 0 5 quux.test.com 556 2
  4. gzip the file so it because SZC_mon-01.fra.testnet.net_2017-05-17.17-07.dmp and move it to you ingest directory (for me this is /var/dnsauth).
  5. show the 4 rows in the database: select * from dnsauth_queries;

expected: the resulting 4 rows should resolve to customer foo and bar and show zones auction.com and test.com respectively. actual: no customer is found and no distilled zone is recorded. Here's the result of my select * from dnsauth_queries; call: 

name: dnsauth_queries
time                customer direction pop protocol qtype rcode    value version
----                -------- --------- --- -------- ----- -----    ----- -------
1495040820000000000 Unknown  Q         fra udp      A     none     1     4
1495040880000000000 Unknown  R         fra udp      A     servfail 1     4
1495040940000000000 Unknown  Q         fra tcp      CNAME none     1     4
1495041000000000000 Unknown  R         fra tcp      CNAME servfail 1     4
alexisfasquel commented 6 years ago

I think (and hope) the reason for this is quite simple: the dump file is missing dots at the end of the zones, which I believe is the proper formatting. When missing the last dot, the software will actually remove the last character instead, changing the zone to something.com to something.co for instance.

Q 32.57.89.19 1.2.3.4 1 0 1 foo.auction.com. 67
R 32.57.89.19 1.2.3.4 1 0 1 foo.auction.com. 686 2
Q 201.77.156.94 1.2.3.4 0 0 5 quux.test.com. 66
R 201.77.156.94 1.2.3.4 0 0 5 quux.test.com. 556 2
mrjones-plip commented 6 years ago

@alexisfasquel - great, thanks for pointing out my mistake. Sorry about that!

However, it still doesn't entirely work. The customer is found now, but the distilled zone still isn't being recorded. Here's the 4 resulting rows from my select * from dnsauth_queries; call:

> select * from dnsauth_queries;
name: dnsauth_queries
time                customer direction pop protocol qtype rcode    value version
----                -------- --------- --- -------- ----- -----    ----- -------
1495040820000000000 foo      Q         fra udp      A     none     1     4
1495040880000000000 foo      R         fra udp      A     servfail 1     4
1495040940000000000 bar      Q         fra tcp      CNAME none     1     4
1495041000000000000 bar      R         fra tcp      CNAME servfail 1     4
alexisfasquel commented 6 years ago

Alright, indeed. I did not include the distilled zone into influx. Just merged a commit with the fix. (I'm sorry, I inadvertently closed the issue. Let me know if that works for you as well)