question

acappadonia avatar image
acappadonia asked acastaner answered

Changing DNS reply

Hello,

I'm using Spirent Test Center 4.46 and Avalanche C100 to test a firewall against DNS traffic. The avalanche appliance behaves both as client and server. Right now the test is working fine, but I need to tune up the server in order to have different kind of replies, i.e., adding authoritative nameserver and additional records fields in the reply.

The replies I obtain with test center looks like the following:

Domain Name System (response)

[Request In: 6]

[Time: 0.014500000 seconds]

Transaction ID: 0x002a

[+]Flags: 0x8480 Standard query response, No error

Questions: 1

Answer RRs: 1

Authority RRs: 0

Additional RRs: 0

[+]Queries

[-]Answers

[+]mail.mysiteone.com: type MX, class IN, preference 0, mx 156.121.12.21

################################

What I would like to have

################################

Domain Name System (response)

[Request In: 152]

[Time: 0.737078000 seconds]

Transaction ID: 0x2372

[+]Flags: 0x8180 Standard query response, No error

Questions: 1

Answer RRs: 12

Authority RRs: 4

Additional RRs: 4

[+]Queries

[-]Answers

[+]accounts.youtube.com: type CNAME, class IN, cname www3.l.google.com

[+]www3.l.google.com: type A, class IN, addr 173.194.35.40

[+]www3.l.google.com: type A, class IN, addr 173.194.35.41

[+]www3.l.google.com: type A, class IN, addr 173.194.35.46

[+]www3.l.google.com: type A, class IN, addr 173.194.35.32

[+]www3.l.google.com: type A, class IN, addr 173.194.35.33

[+]www3.l.google.com: type A, class IN, addr 173.194.35.34

[+]www3.l.google.com: type A, class IN, addr 173.194.35.35

[+]www3.l.google.com: type A, class IN, addr 173.194.35.36

[+]www3.l.google.com: type A, class IN, addr 173.194.35.37

[+]www3.l.google.com: type A, class IN, addr 173.194.35.38

[+]www3.l.google.com: type A, class IN, addr 173.194.35.39

[-]Authoritative nameservers

[+]google.com: type NS, class IN, ns ns3.google.com

[+]google.com: type NS, class IN, ns ns2.google.com

[+]google.com: type NS, class IN, ns ns4.google.com

[+]google.com: type NS, class IN, ns ns1.google.com

[-]Additional records

[+]ns1.google.com: type A, class IN, addr 216.239.32.10

[+]ns2.google.com: type A, class IN, addr 216.239.34.10

[+]ns3.google.com: type A, class IN, addr 216.239.36.10

[+]ns4.google.com: type A, class IN, addr 216.239.38.10

Someone has any suggestion?

Thanks in advance!

Alberto

AvalancheSpirent TestCenter (STC)dnstest case
10 |950
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

2 Answers

·
Denis avatar image
Denis answered

Current Avalanche normal DNS server could not meet your requirement. It may be for the sake of performance, Avalanche normal DNS server is very simple. It never implements the lookup algorithm defined in DNS spec. It just puts in the answer section of a response all the resource records matching the query type and the query name. The authority section will always be empty. For NS, MX and NAPTR, it may also put the related A or AAAA resource records in the additional section. For NS, the related A or AAAA resource records means A or AAAA resource records whose "Name" field is the same as "Name Server" field of the NS resource record. For MX, it means A or AAAA resource records whose "Name" field is the same as "Mail Exchange" filed of the MX resource record. For NAPTR, it means A or AAAA resource records whose "Name" field is the same as "Replace" field of the NAPTR resource record.

The attached is a pcap file Avalanche generates. It should be a relatively complicated response that current Avalanche normal DNS server is able to generate.


normal-dns.zip (428 B)
1 comment
10 |950
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

acappadonia avatar image acappadonia commented ·

Thanks, this should solve my issue as my main objective was to be able to change the size of DNS reply!

0 Likes 0 ·
acastaner avatar image
acastaner answered

Note that, depending on how dynamic you want the answer to be, you could use the PCAP Capture & Replay tool (SAPEE) to achieve this.

10 |950
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.