DNS Parser¶

Since 1.8.0, dnsdist contains a limited DNS parser class that can be used to inspect the content of DNS queries and responses in Lua.

The first step is to get the content of the DNS payload into a Lua string, for example using DNSQuestion:getContent(), or DNSResponse:getContent(), and then to create a DNSPacketOverlay object:

function dumpPacket(dq)
  local packet = dq:getContent()
  local overlay = newDNSPacketOverlay(packet)
  print(overlay.qname)
  print(overlay.qtype)
  print(overlay.qclass)
  local count = overlay:getRecordsCountInSection(DNSSection.Answer)
  print(count)
  for idx=0, count-1 do
    local record = overlay:getRecord(idx)
    print(record.name)
    print(record.type)
    print(record.class)
    print(record.ttl)
    print(record.place)
    print(record.contentLength)
    print(record.contentOffset)
  end
  return DNSAction.None
end

addAction(AllRule(), LuaAction(dumpPacket))

newDNSPacketOverlay(packet) → DNSPacketOverlay¶

New in version 1.8.0.

Returns a DNSPacketOverlay

Parameters:	packet (str) – The DNS payload

DNSPacketOverlay¶

class DNSPacketOverlay¶

New in version 1.8.0.

The DNSPacketOverlay object has several attributes, all of them read-only:

qname¶: The qname of this packet, as a DNSName objects.

qtype¶: The type of the query in this packet.

qclass¶: The class of the query in this packet.

dh¶

It also supports the following methods:

:getRecordsCountInSection(section) → int¶

Returns the number of records in the ANSWER (1), AUTHORITY (2) and ADDITIONAL (3) DNS Packet Sections of this packet. The number of records in the QUESTION (0) is always set to 0, look at the dnsheader if you need the actual qdcount.

Parameters:	section (int) – The section, see above

:getRecord(idx) → DNSRecord¶

Get the record at the requested position. The records in the QUESTION sections are not taken into account, so the first record in the answer section would be at position 0.

Parameters:	idx (int) – The position of the requested record

DNSRecord object¶

class DNSRecord¶

New in version 1.8.0.

This object represents an unparsed DNS record, as returned by the DNSPacketOverlay class. It has several attributes, all of them read-only:

name¶: The name of this record, as a DNSName objects.

type¶: The type of this record.

class¶: The class of this record.

ttl¶: The TTL of this record.

place¶: The place (section) of this record.

contentLength¶: The length, in bytes, of the rdata content of this record.

contentOffset¶: The offset since the beginning of the DNS payload, in bytes, at which the rdata content of this record starts.

DNS Parser¶

DNSPacketOverlay¶

DNSRecord object¶

Table of Contents

Previous topic

Next topic

This Page