filter based on rcode #32

README.md

@@ -33,7 +33,7 @@ NOTE: The code before version 1.x is considered beta quality and is subject to b
     - [DNS decoder with extended options support](doc/dnsparser.md)
     - [Built-in Grafana dashboards](doc/dashboards.md)
     - [GeoIP support](doc/configuration.md#geoip-support)
-    - [Fqdn/Domain list filtering](doc/configuration.md#fqdn-filtering)
+    - [Log filtering per domain or rcode](doc/configuration.md#filtering)
     - [User Privacy](doc/configuration.md#user-privacy)
     - [Custom text format](doc/configuration.md#custom-text-format)
     - [DNS caching](doc/configuration.md#DNS-Caching)

config.yml

@@ -130,6 +130,8 @@ subprocessors:
     drop-fqdn-file: ""
     # domain drop list, domains list can be a partial domain name with regexp expression
     drop-domain-file: ""
+    # drop response according to the return code (NOERROR, ...). This list is empty by default
+    drop-rcodes: []
     # forward received queries to configured loggers ?
     log-queries: true
     # forward received replies to configured loggers ?

dnsutils/config.go

@@ -75,10 +75,11 @@ type Config struct {
 		} `yaml:"cache"`
 		ServerId  string `yaml:"server-id"`
 		Filtering struct {
-			DropFqdnFile   string `yaml:"drop-fqdn-file"`
-			DropDomainFile string `yaml:"drop-domain-file"`
-			LogQueries     bool   `yaml:"log-queries"`
-			LogReplies     bool   `yaml:"log-replies"`
+			DropFqdnFile   string   `yaml:"drop-fqdn-file"`
+			DropDomainFile string   `yaml:"drop-domain-file"`
+			DropRcodes     []string `yaml:drop-rcodes,flow`
+			LogQueries     bool     `yaml:"log-queries"`
+			LogReplies     bool     `yaml:"log-replies"`
 		} `yaml:"filtering"`
 		GeoIP struct {
 			DbCountryFile string `yaml:"mmdb-country-file"`
@@ -270,6 +271,7 @@ func (c *Config) SetDefault() {
 
 	c.Subprocessors.Filtering.DropFqdnFile = ""
 	c.Subprocessors.Filtering.DropDomainFile = ""
+	c.Subprocessors.Filtering.DropRcodes = []string{}
 	c.Subprocessors.Filtering.LogQueries = true
 	c.Subprocessors.Filtering.LogReplies = true
 

doc/configuration.md

@@ -11,11 +11,12 @@ The configuration is done in one yaml file. For the complete configuration, see
   - [DNS sniffer](#Dns-Sniffer)
   - [Tail](#Tail)
 - [Subprocessors](#Subprocessors)
+  - [Quiet text](#quiet-text)
   - [Qname lowercase](#Qname-lowercase)
-  - [IP anonymization](#Ip-Anonymization)
+  - [User privacy](#user-privacy)
   - [GeoIP Support](#GeoIP-Support)
   - [DNS Caching](#DNS-Caching)
-  - [Packet Filtering](#Packet-Filtering)
+  - [Filtering](#Filtering)
   - [Custom text format](#Custom-Text-Format)
   - [Statistics](#Statistics)
 - [Loggers](#Loggers)
@@ -126,7 +127,7 @@ dns-sniffer:
   capture-dns-replies: true
 ```
 
-## Tail
+### Tail
 
 The tail collector enable to read DNS event from text files.
 DNS servers log server can be followed; any type of server is supported!
@@ -284,14 +285,15 @@ subprocessors:
     query-timeout: 10 
 ```
 
-### Fqdn Filtering
+### Log filtering per domain or rcode
 
-This feature can be use to ignore queries or replies. You can also use-it to drop 
-specific domains name. This feature can be useful to increase logging performance.
+The filtering feature can be used to ignore some queries or replies according to the qname or return code. 
+This feature can be useful to increase logging performance..
 
 Options:
 - `drop-fqdn-file`: (string) path file to a fqdn drop list, domains list must be a full qualified domain name
 - `drop-domain-file`: (string) path file to domain drop list, domains list can be a partial domain name with regexp expression
+- `drop-rcodes`: (list of string) rcode list, empty by default
 - `log-queries`: (boolean) forward received queries to configured loggers
 - `log-replies`: (boolean)  forward received replies to configured loggers
 
@@ -300,6 +302,7 @@ subprocessors:
   filtering:
     drop-fqdn-file: ""
     drop-domain-file: ""
+    drop-rcodes: []
     log-queries: true
     log-replies: true
 ```
@@ -356,7 +359,7 @@ Some options to customize the statitics subprocessor.
 
 Options:
 - `top-max-items`: (string) default number of items on top
-- `common-qtypes`: (string)  expected common qtype list, other will be considered as suspicious
+- `common-qtypes`: (list of string)  expected common qtype list, other will be considered as suspicious
 - `threshold-qname-len`: (string) a length greater than this value will be considered as suspicious
 - `threshold-packet-len`: (string) a size greater than this value will be considered as suspicious value in bytes
 - `threshold-slow`: (string) threshold to set a domain considered as slow, value in second

subprocessors/filtering.go

@@ -87,6 +87,13 @@ func (p *FilteringProcessor) CheckIfDrop(dm *dnsutils.DnsMessage) bool {
 		return true
 	}
 
+	// drop according to the rcode ?
+	for _, v := range p.config.Subprocessors.Filtering.DropRcodes {
+		if v == dm.DNS.Rcode {
+			return true
+		}
+	}
+
 	// drop domains ?
 	if p.dropDomains {
 		// fqdn

subprocessors/filtering_test.go

@@ -27,3 +27,31 @@ func TestFilteringQR(t *testing.T) {
 	}
 
 }
+
+func TestFilteringByRcodeNOERROR(t *testing.T) {
+	// config
+	config := dnsutils.GetFakeConfig()
+	config.Subprocessors.Filtering.DropRcodes = []string{"NOERROR"}
+
+	// init subproccesor
+	filtering := NewFilteringProcessor(config, logger.New(false))
+
+	dm := dnsutils.GetFakeDnsMessage()
+	if filtering.CheckIfDrop(&dm) == false {
+		t.Errorf("dns query should be dropped")
+	}
+}
+
+func TestFilteringByRcodeEmpty(t *testing.T) {
+	// config
+	config := dnsutils.GetFakeConfig()
+	config.Subprocessors.Filtering.DropRcodes = []string{}
+
+	// init subproccesor
+	filtering := NewFilteringProcessor(config, logger.New(false))
+
+	dm := dnsutils.GetFakeDnsMessage()
+	if filtering.CheckIfDrop(&dm) == true {
+		t.Errorf("dns query should not be dropped!")
+	}
+}