By definition, authoritative servers should not receive DNS responses -- unless they are also used also as a resolver.
For authoritative-server only cases, we found if someone sends a unsolicited response to the server (resolver -> auth_server) , entrada will assume that the authoritative server must have send a query ( auth_server -> resolver), and create a "ghost" query, merge it with the unsolcited response, and add to the database.
For example, say a resolver sends: resolverIP -> auth_server google.com NXDOMAIN , then entrada will assume there must have been a query ( auth_server -> resolver A google.com ) , and store in the databse as:
- src: auth_server IP
- dst: resolver_IP
- rcode: sent from the unsolcited response, not sent from the auth server (auth server ignores the response)
NOte that entrada invert the IPs, given in assumes the order of the query. In reality, there was never a query. So I guess what we need is a module/method to detect somehow unsolicited responses, and then store it a way that is easy to detect
By definition, authoritative servers should not receive DNS responses -- unless they are also used also as a resolver.
For authoritative-server only cases, we found if someone sends a unsolicited response to the server (
resolver -> auth_server) , entrada will assume that the authoritative server must have send a query (auth_server -> resolver), and create a "ghost" query, merge it with the unsolcited response, and add to the database.For example, say a resolver sends:
resolverIP -> auth_server google.com NXDOMAIN, then entrada will assume there must have been a query (auth_server -> resolver A google.com) , and store in the databse as:NOte that entrada invert the IPs, given in assumes the order of the query. In reality, there was never a query. So I guess what we need is a module/method to detect somehow unsolicited responses, and then store it a way that is easy to detect