DNS UDP bypass rule not working, advise please

Hello,

Made 2 rules to habe Suricata bypass and not analyze DNS traffic from known DNS servers, but it seems they are ignored. Any ideas please?

Thanks!
Andre

]# suricata -v
Suricata 8.0.0-dev (378f678d9 2024-10-14)
suricata.yaml:
outputs:
eve.json:
types:
- dns:
version: 3
requests: yes
responses: yes

local.rules:
# ByPass DNS known dns servers
pass udp $DNS_SERVERS 53 → any any (bypass; sid:100000050; rev:1; )
pass udp $HOME_NET any → $DNS_SERVERS 53 (bypass; sid:100000051; rev:1; )

Seems like this is processed before the bepass rule. If disabling request/response there is indeed no udp traffic according to previous bypass rules.

• dns:
  version: 3
  requests: yes
  responses: yes

Parsing DNS happens before the rules are evaluated, but I would still expect the logging to not run for this flow. Smells like a bug to me.

Btw if your goal is to disable dns logging you can also use the config keyword:
https://docs.suricata.io/en/latest/rules/config.html#config-rules

Ok, thanks, need some help with that.
Would this disable all dns, or dns query and answer logging?

config dns $DNS_SERVERS any → any any (dns.answer; config: logging disable, type tx, scope tx; sid:1;)
config dns any any → $DNS_SERVERS any (dns.query; config: logging disable, type tx, scope tx; sid:1;)

Or all:
config dns $DNS_SERVERS any → any any (config: logging disable, type tx, scope tx; sid:1;)
config dns any any → $DNS_SERVERS any (config: logging disable, type tx, scope tx; sid:1;)

Did you try those rules?

This combination for sure did the job, thanks.

pass dns $DNS_IB any → any any (bypass; sid:100000050; rev:2; )
pass dns any any → $DNS_IB any (bypass; sid:100000051; rev:2; )

config dns $DNS_IB any → any any (config: logging disable, type tx, scope tx; sid:100000052;)
config dns any any → $DNS_IB any (config: logging disable, type tx, scope tx; sid:100000053;)