Pull request #4936: appid: more restrictive checks for DNS client detection

Merge in SNORT/snort3 from ~OSTEPANO/snort3:dns_udp_detector to master

Squashed commit of the following:

commit 12ff8b2092daa3f17b78dfd42bdb16ec7f208589
Author: Oleksandr Stepanov <ostepano@cisco.com>
Date:   Wed Oct 8 09:50:19 2025 -0400

    appid: more restrictive checks for DNS client detection

diff --git a/src/network_inspectors/appid/detector_plugins/detector_dns.cc b/src/network_inspectors/appid/detector_plugins/detector_dns.cc
index f850bb8dd2aee4a0a40f46ae9067469a6404b36f..9e6b56ecf2c6d21a077ffd9d7f6d25c5b9e4e8ec 100644 (file)
--- a/src/network_inspectors/appid/detector_plugins/detector_dns.cc
+++ b/src/network_inspectors/appid/detector_plugins/detector_dns.cc
@@ -509,6 +509,12 @@ int DnsValidator::validate_packet(const uint8_t* data, uint16_t size, const int,
 
     offset = sizeof(DNSHeader);
 
+    if (!hdr->QDCount and !hdr->QR and !hdr->ARCount)
+    {
+        // Query with no questions and cookies is invalid (RFC1035 and RFC7873)
+        return APPID_NOMATCH;
+    }
+
     if (hdr->QDCount)
     {
         count = ntohs(hdr->QDCount);