This branch is in bro, bro-testing, and bro-testing-private repos.
Fixes incorrect parsing of DNS message format for messages with empty question sections.
Changes dns.log to only include standard queries (opcode == 1).
Adds "dns_unknown_reply" event for RR types that Bro doesn't know how to parse, which improves accuracy of request-reply pair matching performed by the default DNS scripts.
I just pushed another commit on this branch containing a rewrite of the query-reply state tracking and matching logic. It now relies on "dns_end" event to pair messages and log them. The old way of tracking the number of resource records seen versus the total number declared in the reply message is too unreliable in many cases.