DPD query too large on multicast DNS


Lots of

1440024833.696698 CZdljELZjJSLLQpxj 5353 5353 udp DNS DNS_Conn_count_too_large
1440024920.764444 CgVrZf4IQ0Tc04EfQe 5353 5353 udp DNS DNS_Conn_count_too_large
1440024920.764923 C4oQOB2GRRhDHW1i4g fe80::6676:baff:feb5:772c 5353 ff02::fb 5353 udp DNS DNS_Conn_count_too_large
1440024981.016577 CsCwiq3qk2Uxjhomjj fe80::1c8a:768d:e113:e39f 5353 ff02::fb 5353 udp DNS DNS_Conn_count_too_large
1440024981.015551 CA1nbO23vgbca2PBYi 5353 5353 udp DNS DNS_Conn_count_too_large
1440025022.962007 C5kYaG3BckRrVOot89 5353 5353 udp DNS DNS_Conn_count_too_large
1440025022.962049 CrkZft38lJ0YqGqxsl fe80::2acf:e9ff:fe1a:9aed 5353 ff02::fb 5353 udp DNS DNS_Conn_count_too_large

for just UDP and port 5353 - multicast DNS

Pcaps attached.




Vlad Grigorescu
September 4, 2015, 12:47 PM

The issue here is src/analyzer/protocol/dns/DNS.cc lines 58-68:

// There is a great deal of non-DNS traffic that runs on port 53.
// This should weed out most of it.
if ( dns_max_queries > 0 && msg.qdcount > dns_max_queries )
return 0;

topic/vladg/bit-1460 makes dns_max_queries redef-able, and bumps up the limit from 5 to 25.

Since multicast is so chatty, it might make sense to special case it and allow for a higher limit. That being said, I'm not sure there's much of a downside to setting the max a bit higher.

Seth Hall
September 4, 2015, 6:31 PM

It might make sense to go ahead and merge this into master and see if it causes performance problems for anyone.

Johanna Amann
September 6, 2015, 3:33 AM

I think I concur. I will merge this into master with the limit at 25 and into 2.4.1 with the limit at 5 (so the only difference is that people in 2.4.1 will be able to redef it if they want to - but there will be no surprising change of how things work).

Johanna Amann
September 10, 2015, 5:43 PM

Merging this change actually triggers a few changes in our external test suite. Vlad, could you potentially take a short look if those seem to make sense?

Vlad Grigorescu
September 10, 2015, 6:54 PM

Will do. Sorry for not checking that earlier.

Vlad Grigorescu
September 10, 2015, 7:59 PM

Yes, these all seem reasonable. Several symptoms of this particular bug were fixed.

I updated the appropriate baselines in topic/vladg/bit-1460 in the bro-testing repo.

Several tests unrelated to DNS seem to be broken, but I believe that's due to BIT-1467. Also, the private test suite seems to be out of date with master, but I didn't see any DNS-related changes.


Johanna Amann


Michał Purzyński


External issue ID



Affects versions