From pvlaar at afilias.info  Fri Nov 23 18:03:52 2012
From: pvlaar at afilias.info (Paul Vlaar)
Date: Fri, 23 Nov 2012 19:03:52 +0100
Subject: [dnstop] not all DNS types resolving
Message-ID: <50AFBA88.5080005@afilias.info>

I've been using dnstop for a while, and I really like it as a quick tool
to do DNS analysis. I didn't notice until now that some DNS types aren't
resolving:

Query Type     Count      %   cum%
---------- --------- ------ ------
#32769?       130347    1.7   96.5
#35?             416    0.0  100.0
#65323?          167    0.0  100.0
#52?              31    0.0  100.0
#0?               11    0.0  100.0
#51?              10    0.0  100.0
#44?               9    0.0  100.0
#26?               3    0.0  100.0
#18?               2    0.0  100.0
#13?               3    0.0  100.0
#41?               2    0.0  100.0
#253?              1    0.0  100.0

32769 is DLV, 35 NAPTR (ENUM), 52 is TLSA, 51 is NSEC3PARAM, 44 is
SSHFP, 26 is PX, 18 is AFSDB and 13 is HINFO. Not sure what the others
are. 65323 a private one perhaps?

Any chance this can be made to recognize by dnstop? I've had a quick
glance at the code but can't figure out where this is defined. Maybe
elsewhere on the local system?

Thanks,

	~paul


-- 
Paul Vlaar
Content Propagation and Resolution
Afilias

e-mail: pvlaar at afilias.info
phone: +1-416-673-4078
cell: +31-6-506-306-35


From wessels at measurement-factory.com  Fri Nov 30 19:29:43 2012
From: wessels at measurement-factory.com (Duane Wessels)
Date: Fri, 30 Nov 2012 12:29:43 -0700 (MST)
Subject: [dnstop] not all DNS types resolving
In-Reply-To: <50AFBA88.5080005@afilias.info>
References: <50AFBA88.5080005@afilias.info>
Message-ID: <alpine.BSF.2.00.1211301227231.31861@measurement-factory.com>




On Fri, 23 Nov 2012, Paul Vlaar wrote:

> I've been using dnstop for a while, and I really like it as a quick tool
> to do DNS analysis. I didn't notice until now that some DNS types aren't
> resolving:
>
> Query Type     Count      %   cum%
> ---------- --------- ------ ------
> #32769?       130347    1.7   96.5
> #35?             416    0.0  100.0
> #65323?          167    0.0  100.0
> #52?              31    0.0  100.0
> #0?               11    0.0  100.0
> #51?              10    0.0  100.0
> #44?               9    0.0  100.0
> #26?               3    0.0  100.0
> #18?               2    0.0  100.0
> #13?               3    0.0  100.0
> #41?               2    0.0  100.0
> #253?              1    0.0  100.0
>
> 32769 is DLV, 35 NAPTR (ENUM), 52 is TLSA, 51 is NSEC3PARAM, 44 is
> SSHFP, 26 is PX, 18 is AFSDB and 13 is HINFO. Not sure what the others
> are. 65323 a private one perhaps?
>
> Any chance this can be made to recognize by dnstop? I've had a quick
> glance at the code but can't figure out where this is defined. Maybe
> elsewhere on the local system?

Paul,

here is a patch:


Index: dnstop.c
===================================================================
RCS file: /usr/local/CVS/dnstop/dnstop.c,v
retrieving revision 1.114
retrieving revision 1.115
diff -u -3 -p -r1.114 -r1.115
--- dnstop.c	17 Oct 2012 16:37:23 -0000	1.114
+++ dnstop.c	30 Nov 2012 19:26:41 -0000	1.115
@@ -1,5 +1,5 @@
  /*
- * $Id: dnstop.c,v 1.114 2012/10/17 16:37:23 wessels Exp $
+ * $Id: dnstop.c,v 1.115 2012/11/30 19:26:41 wessels Exp $
   *
   * http://dnstop.measurement-factory.com/
   * 
@@ -167,27 +167,6 @@ typedef const char *(col_fmt) (const Sor
  typedef char *(strify) (unsigned int);

  #define T_MAX 65536
-#ifndef T_A6
-#define T_A6 38
-#endif
-#ifndef T_SRV
-#define T_SRV 33
-#endif
-#ifndef T_DS
-#define T_DS 43
-#endif
-#ifndef T_RRSIG
-#define T_RRSIG 46
-#endif
-#ifndef T_NSEC
-#define T_NSEC 47
-#endif
-#ifndef T_DNSKEY
-#define T_DNSKEY 48
-#endif
-#ifndef T_SPF
-#define T_SPF 99
-#endif
  #define C_MAX 65536
  #define OP_MAX 16
  #define RC_MAX 16
@@ -347,12 +326,12 @@ allocate_anonymous_address(inX_addr * an
  	ptr->addr = *orig_addr;
  	ptr->data = (void *)(ptr + 1);
  	if (4 == inXaddr_version(orig_addr)) {
-	    read(entropy_fd, buf, 4);
+	    (void) read(entropy_fd, buf, 4);
  	    inXaddr_assign_v4(ptr->data, (struct in_addr *)buf);
  	}
  #if USE_IPV6
  	else {
-	    read(entropy_fd, buf, 16);
+	    (void) read(entropy_fd, buf, 16);
  	    inXaddr_assign_v6(ptr->data, (struct in6_addr *)buf);
  	}
  #endif
@@ -1092,48 +1071,78 @@ qtype_str(unsigned int t)
      case T_PTR:
  	return "PTR?";
  	break;
+    case 13:
+	return "HINFO?";
+	break;
      case T_MX:
  	return "MX?";
  	break;
      case T_TXT:
  	return "TXT?";
  	break;
+    case 18:
+	return "AFSDB?";
+	break;
      case T_SIG:
  	return "SIG?";
  	break;
      case T_KEY:
  	return "KEY?";
  	break;
+    case 26:
+	return "PX?";
+	break;
      case T_AAAA:
  	return "AAAA?";
  	break;
      case T_LOC:
  	return "LOC?";
  	break;
-    case T_SRV:
+    case 33:
  	return "SRV?";
  	break;
-    case T_A6:
+    case 35:
+	return "NAPTR?";
+	break;
+    case 38:
  	return "A6?";
  	break;
-    case T_DS:
+    case 41:
+	return "OPT?";
+	break;
+    case 43:
  	return "DS?";
  	break;
-    case T_RRSIG:
+    case 44:
+	return "SSHFP?";
+	break;
+    case 46:
  	return "RRSIG?";
  	break;
-    case T_NSEC:
+    case 47:
  	return "NSEC?";
  	break;
-    case T_DNSKEY:
+    case 48:
  	return "DNSKEY?";
  	break;
-    case T_SPF:
+    case 50:
+	return "NSEC3?";
+	break;
+    case 51:
+	return "NSEC3PARAM?";
+	break;
+    case 52:
+	return "TLSA?";
+	break;
+    case 99:
  	return "SPF?";
  	break;
      case T_ANY:
  	return "ANY?";
  	break;
+    case 32769:
+	return "DLV?";
+	break;
      default:
  	if (qtypes_buf[t])
  	    return qtypes_buf[t];