From: Oleksandr Stepanov -X (ostepano - SOFTSERVE INC at Cisco) <ostepano@cisco.com>
Date: Tue, 14 Oct 2025 19:17:24 +0000 (+0000)
Subject: Pull request #4936: appid: more restrictive checks for DNS client detection
X-Git-Tag: 3.9.7.0~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84a996af3bd74ced9c9d574e3e578883dd6a0742;p=thirdparty%2Fsnort3.git

Pull request #4936: appid: more restrictive checks for DNS client detection

Merge in SNORT/snort3 from ~OSTEPANO/snort3:dns_udp_detector to master

Squashed commit of the following:

commit 12ff8b2092daa3f17b78dfd42bdb16ec7f208589
Author: Oleksandr Stepanov <ostepano@cisco.com>
Date:   Wed Oct 8 09:50:19 2025 -0400

    appid: more restrictive checks for DNS client detection
---

diff --git a/src/network_inspectors/appid/detector_plugins/detector_dns.cc b/src/network_inspectors/appid/detector_plugins/detector_dns.cc
index f850bb8dd..9e6b56ecf 100644
--- a/src/network_inspectors/appid/detector_plugins/detector_dns.cc
+++ b/src/network_inspectors/appid/detector_plugins/detector_dns.cc
@@ -509,6 +509,12 @@ int DnsValidator::validate_packet(const uint8_t* data, uint16_t size, const int,
 
     offset = sizeof(DNSHeader);
 
+    if (!hdr->QDCount and !hdr->QR and !hdr->ARCount)
+    {
+        // Query with no questions and cookies is invalid (RFC1035 and RFC7873)
+        return APPID_NOMATCH;
+    }
+
     if (hdr->QDCount)
     {
         count = ntohs(hdr->QDCount);