none
SysMon DNS Query Results are truncated RRS feed

  • Question

  • Hello,

    I have found that the DNS Query Results from SysMon could be truncated. See the example below:

     QueryResults: type: 5 lyh-efz.office.com;::ffff:40.97.30.130;::ffff:40.97.152.34;::ffff:52.96.43.162;::ffff:40.97.168.114;::ffff:40.97.152.2;::ffff:40.97.154.242;::ffff:40.97.170.2;::ffff:40.97.153.146;::ffff:40.97.126.210;::ffff:52.96.29.82;::ffff:40.97.126.178;::ffff:40.97.24.2;::ffff:40.97.170.194;::ffff:40.97.126.194;::ffff:40.97.124.226;::ffff:40.97.124.194;::ffff:40.97.30.162;::ffff:40.97.124.34;::ffff:40.97.29.50;::ffff:40.97.124.210;::ffff:40.97.28.98;::ffff:40.97.154.82;::ffff:40.97.170.178;::ffff:40.97.170.162;::ffff:40.96.32.34;::ffff:40.97.154.226;::ffff:40.97.169.242;::ffff:40.97.171.98;::ffff:40.97.169.146;::ffff:40.97.100.2;::ffff:40.97.169.162;::ffff:40.97.152.82;::ffff:40.97.155.194;::ffff:52.96.54.210;::ffff:52.96.40.114;::ffff:40.97.171.114;::ffff:52.96.37.210;::ffff:40.97.168.98;::ffff:40.97.154.66;::ffff:40.97.28.82;::ffff:40.97.28.114;::ffff:40.97.24.18;::ffff:40.97.228.178;::ffff:40.97.155.178;::ffff:40.97.31.50;::ffff:52.96.37.34;::ffff:40.97.124.18;::ffff:40.97.24.50;::ffff:40.97.230.178;::ffff:52

    Notice that end of the data is not a valid IP address but rather '52'. As we try to parse and ingest this, it is invalid.

    Is this expected behavior or a bug?

    SysMon 10.42 is what this was tested with.

    Thank you!

    Monday, May 11, 2020 10:40 PM

All replies

  • Interesting. I wasn't aware of this issue. Mark Russinovich added the DNS feature so I will check with him but I couldn't see any obvious restrictions in the Sysmon code. Note that DNS logging uses ETW so this may be a restriction on the ETW logs too. Have added to the backlog and will take a look.

    MarkC(MSFT)

    Tuesday, May 12, 2020 8:08 AM
  • Sounds great, thanks Mark! Let us know if you need more details.

    Nic

    Tuesday, May 12, 2020 2:55 PM
  • This is a Windows DNS restriction for ETW logging - messages are cut to 1024 characters. However, new operating system code without this restriction is ready and waiting to roll out with the next major OS release.

    Consider that in the case of hostnames with multiple IP addresses, there's no guarantee for the order in which the IPs are sent back by the DNS server. Also, in the case of UDP queries, the datagrams might be cut short (datagrams are also capped at 64 kilobytes) with only a bit flag in the message to signal this. There is no way to retrieve what follows after the cut, the client is free to query again the stateless DNS server and might receive any subset of the answer back.

    AlexM(MSFT)

    Wednesday, September 9, 2020 2:29 PM