[Questions and Support] DNS queries type 28 (AAAA) #19277
Comments
|
@stamparm ping... |
|
@JSteegmueller took one example of such DNS request(s) from here: https://www.cloudshark.org/captures/ea72fbab241b?filter=frame%20and%20eth%20and%20ip%20and%20udp. It seems that everything should be good for Maltrail to parse those AAAA records, but... AFAIR, this was the main issue: Currently I am not anymore in the network traffic monitoring job position, but AFAIR, this was a regular annoyance - repeating of A and AAAA queries in subsequent manner. So, if not mistaken, this decision was done to reduce the redundancy in such cases |
|
Apparently it is called Happy Eyeballs algorithm: As seen, DNS entries for a host can have multiple addresses, both for IPv4 and IPv6. The client will make a AAAA request, followed immediately by an A request. Happy Eyeballs, says the client must attempt to make a connection to the first IP address that is returned, regardless of address family. |
Question
Hey @stamparm, just a small question:
Why are DNS quieries with type 28 filtered out in this line?
maltrail/sensor.py
Line 738 in f0bc2e9
Shouldn't AAAA requesters also be analyzed regarding suspicious ___domain names?
Thanks for your time!
Greetings, Janik
The text was updated successfully, but these errors were encountered: