DNS reply - bro stores CNAME answer in c$dns$query

Description

Scenario :
A single DNS reply packet :
original query = www.abc.com

2 answers:
CNAME answer = ns1.abc.com
A answer CNAME (ns1.abc.com) = 1.2.3.4

what happens is that dns_A_reply event appears before dns_CNAME_reply event, and the field c$dns$query is being populated with the query for which A is answering, meaning the CNAME answer.

bug :
c$dns$query=ns1.abc.com
c$dns$answers=["1.2.3.4","ns1.abc.com"]

when it should be :
c$dns$query=www.abc.com
c$dns$answers=["1.2.3.4","ns1.abc.com"]

Environment

bro2.5 and bro2.4.1

Assignee

Unassigned

Reporter

william de ping

Labels

External issue ID

None

Components

Affects versions

Priority

Normal
Configure