From 3cc10d4d853f51f1ef9a341d160f6002d3f00d36 Mon Sep 17 00:00:00 2001
From: Amy Linari <alinari@dyn.com>
Date: Wed, 8 Oct 2014 20:53:14 +0000
Subject: [PATCH 1/2] Follow nested compression pointers and return to original
 offset after completion.

---
 src/dns.h | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/dns.h b/src/dns.h
index dc3de24..4502651 100644
--- a/src/dns.h
+++ b/src/dns.h
@@ -213,12 +213,10 @@ class DNSMessage
             {
                 while(n>=192)
                 {
-                    if (savedoffs)
+                    if (savedoffs == 0)
                     {
-                        out[p++]=0;
-                        return savedoffs;
+                    	savedoffs=offs+1;
                     }
-                    savedoffs=offs+1;
                     int n2=get_ubyte(offs++);
                     int ptr =(n&63)*0x100+n2;
                     offs=ptr;

From 99e9bb3fcb5ade61a8de02b821882229a95e4fe8 Mon Sep 17 00:00:00 2001
From: Amy Linari <alinari@dyn.com>
Date: Wed, 8 Oct 2014 21:07:42 +0000
Subject: [PATCH 2/2] Add columns answers, authorties, and additionals, each of
 which which returns a comma delimeted list of qname, class and type for each
 RR in the response. Also adds a qclass LUT.

---
 src/dns.cpp | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 src/dns.h   | 27 ++++++++++++++++++---------
 2 files changed, 64 insertions(+), 9 deletions(-)

diff --git a/src/dns.cpp b/src/dns.cpp
index 0abeb47..4643b5b 100644
--- a/src/dns.cpp
+++ b/src/dns.cpp
@@ -37,6 +37,7 @@
 #include <cctype>
 #include "output.h"
 #include "dns.h"
+#include <sstream>
 
 namespace se {
 
@@ -64,6 +65,9 @@ void Parse_dns::add_packet_columns()
 
     add_packet_column("qname",          "", Coltype::_text, COLUMN_QNAME);
     add_packet_column("aname",          "", Coltype::_text, COLUMN_ANAME);
+    add_packet_column("answers",        "", Coltype::_text, COLUMN_ANSWERS);
+    add_packet_column("authorities",    "", Coltype::_text, COLUMN_AUTHORITIES);
+    add_packet_column("additionals",    "", Coltype::_text, COLUMN_ADDITIONALS);
     add_packet_column("msg_id",         "", Coltype::_int, COLUMN_MSG_ID);
     add_packet_column("msg_size",       "", Coltype::_int, COLUMN_MSG_SIZE);
     add_packet_column("opcode",         "", Coltype::_int, COLUMN_OPCODE);
@@ -184,6 +188,12 @@ void Parse_dns::add_lookup_tables()
     g_db.add_lut( "rcode", 20 ,"BADNAME" );
     g_db.add_lut( "rcode", 21 ,"BADALG" );
     g_db.add_lut( "rcode", 22 ,"BADTRUNC" );
+
+    g_db.add_lut( "qclass", 1,   "IN" );
+    g_db.add_lut( "qclass", 3,   "CH" );
+    g_db.add_lut( "qclass", 4,   "HS" );
+    g_db.add_lut( "qclass", 254, "NONE" );
+    g_db.add_lut( "qclass", 255, "ANY" );
 }
 
 void Parse_dns::on_table_created(Table *table, const std::vector<int> &columns)
@@ -220,6 +230,30 @@ void Parse_dns::on_table_created(Table *table, const std::vector<int> &columns)
 
     acc_qname          = table->get_accessor<text_column>("qname");
     acc_aname          = table->get_accessor<text_column>("aname");
+    acc_answers        = table->get_accessor<text_column>("answers");
+    acc_authorities    = table->get_accessor<text_column>("authorities");
+    acc_additionals    = table->get_accessor<text_column>("additionals");
+}
+
+#define SSTR(x) dynamic_cast<std::ostringstream &>((std::ostringstream() << std::dec << x)).str()
+RefCountString* Parse_dns::get_rrs(DNSMessage::Header &header, int count, DNSMessage::RR* rrs)
+{
+    std::string tmp;
+    for (int i=0;i<(count < MAX_RRS ? count : MAX_RRS);i++) {
+        if (i > 0) {
+            tmp.append(",");
+        }
+        tmp.append(rrs[i].name);
+        tmp.append(" ");
+        tmp.append(SSTR(rrs[i].ttl));
+        tmp.append(" ");
+        RefCountString* h = g_db.get_value("qclass",rrs[i].rr_class);
+        h ? tmp.append(h->data) : tmp.append(SSTR(rrs[i].rr_class));
+        tmp.append(" ");
+        h = g_db.get_value("qtype",rrs[i].type);
+        h ? tmp.append(h->data) : tmp.append(SSTR(rrs[i].type));
+    }
+    return RefCountString::construct(tmp.c_str());
 }
 
 Packet::ParseResult Parse_dns::parse(Packet &packet, const std::vector<int> &columns, Row &destination_row, bool sample)
@@ -355,6 +389,18 @@ Packet::ParseResult Parse_dns::parse(Packet &packet, const std::vector<int> &col
             acc_udp_size.value(r) = message.m_edns0 ? message.m_udp_size : 0;
             break;
 
+        case COLUMN_ANSWERS:
+            acc_answers.value(r) = get_rrs(header, header.ancount, message.m_answer);
+            break;
+         
+        case COLUMN_AUTHORITIES:
+            acc_authorities.value(r) = get_rrs(header, header.nscount, message.m_authority);
+            break;
+         
+        case COLUMN_ADDITIONALS:
+            acc_additionals.value(r) = get_rrs(header, header.arcount, message.m_additional);
+            break;
+         
         case COLUMN_ANAME:
             acc_aname.value(r) = header.ancount ? RefCountString::construct(message.m_answer[0].name) : RefCountString::construct("");
             break;
diff --git a/src/dns.h b/src/dns.h
index 4502651..ff70225 100644
--- a/src/dns.h
+++ b/src/dns.h
@@ -40,6 +40,7 @@
 #include <assert.h>
 
 #define IPPROTO_ICMP 1
+#define MAX_RRS 32
 
 namespace se {
 
@@ -173,9 +174,9 @@ class DNSMessage
         int              m_length;
         Header           m_header;
         Question         m_questions[2];
-        RR               m_answer[2];
-        RR               m_authority[2];
-        RR               m_additional[2];
+        RR               m_answer[MAX_RRS + 1];
+        RR               m_authority[MAX_RRS + 1];
+        RR               m_additional[MAX_RRS + 1];
         RR               *m_opt_rr;
         int              m_error;
         bool             m_edns0;
@@ -260,8 +261,8 @@ class DNSMessage
             cnt=m_header.ancount;
             while (cnt-->0)
             {
-                offs = m_answer[q].parse(*this,offs);
-                q=1;    // not ++ ignore further Q's
+                offs = m_answer[q % MAX_RRS].parse(*this,offs);
+                q++;
                 if (offs>m_length)
                 {
                     m_error=offs;
@@ -272,8 +273,8 @@ class DNSMessage
             cnt=m_header.nscount;
             while (cnt-->0)
             {
-                offs = m_authority[q].parse(*this,offs);
-                q=1;    // not ++ ignore further Q's
+                offs = m_authority[q % MAX_RRS].parse(*this,offs);
+                q++;
                 if (offs>m_length)
                 {
                     m_error=offs;
@@ -284,8 +285,8 @@ class DNSMessage
             cnt=m_header.arcount;
             while (cnt-->0)
             {
-                offs = m_additional[q].parse(*this,offs);
-                q=1;    // not ++ ignore further Q's
+                offs = m_additional[q % MAX_RRS].parse(*this,offs);
+                q++;
                 if (offs>m_length)
                 {
                     m_error=offs;
@@ -324,6 +325,9 @@ class Parse_dns : public Packet_handler
     enum {
         COLUMN_QNAME = IP_header_to_table::COLUMN_FRAGMENTS + 1,
         COLUMN_ANAME,
+        COLUMN_ANSWERS,
+        COLUMN_AUTHORITIES,
+        COLUMN_ADDITIONALS,
         COLUMN_MSG_ID,
         COLUMN_MSG_SIZE,
         COLUMN_OPCODE,
@@ -365,6 +369,8 @@ class Parse_dns : public Packet_handler
 
     IP_header_to_table m_ip_helper;
 
+    RefCountString* get_rrs(DNSMessage::Header&, int count, DNSMessage::RR*);
+
     Int_accessor acc_s;
     Int_accessor acc_us;
     Int_accessor acc_ether_type;
@@ -398,6 +404,9 @@ class Parse_dns : public Packet_handler
     Bool_accessor acc_edns0;
     Text_accessor acc_qname;
     Text_accessor acc_aname;
+    Text_accessor acc_answers;
+    Text_accessor acc_authorities;
+    Text_accessor acc_additionals;
     Text_accessor acc_src_addr;
     Text_accessor acc_dst_addr;
 };