dns name

Author: jpinsonneau

bpf/dns_tracker.h

@@ -8,7 +8,23 @@
 
 #define DNS_DEFAULT_PORT 53
 #define DNS_QR_FLAG 0x8000
+#define DNS_OPCODE_MASK 0x7800
+#define DNS_RCODE_MASK 0x0F
 #define UDP_MAXMSG 512
+// Reduced to keep BPF program size under limits
+#define MAX_DNS_LABELS 8
+
+// Per-CPU buffer for DNS name parsing to avoid stack overflow
+struct dns_parse_buffer {
+    char name[DNS_NAME_MAX];
+};
+
+struct {
+    __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
+    __uint(max_entries, 1);
+    __type(key, u32);
+    __type(value, struct dns_parse_buffer);
+} dns_parse_buffer_map SEC(".maps");
 
 // See https://www.rfc-editor.org/rfc/rfc1035 4.1.1. Header section format
 struct dns_header {
@@ -65,7 +81,7 @@ static __always_inline u8 calc_dns_header_offset(pkt_info *pkt, void *data_end)
     return len;
 }
 
-static __always_inline int track_dns_packet(struct __sk_buff *skb, pkt_info *pkt) {
+static __noinline int track_dns_packet(struct __sk_buff *skb, pkt_info *pkt) {
     void *data_end = (void *)(long)skb->data_end;
     int ret = 0;
     if (pkt->id->dst_port == dns_port || pkt->id->src_port == dns_port ||
@@ -108,6 +124,19 @@ static __always_inline int track_dns_packet(struct __sk_buff *skb, pkt_info *pkt
             }
             pkt->dns_id = dns_id;
             pkt->dns_flags = flags;
+
+            // Parse DNS QNAME using per-CPU buffer
+            u32 key = 0;
+            struct dns_parse_buffer *buf = bpf_map_lookup_elem(&dns_parse_buffer_map, &key);
+            if (buf) {
+                // Copy raw QNAME bytes (label-encoded) and let userspace decode to dotted form
+                __builtin_memset(buf->name, 0, DNS_NAME_MAX);
+                u32 qname_off = dns_offset + sizeof(struct dns_header);
+                // Best-effort fixed-size copy; safe for verifier (constant size)
+                (void)bpf_skb_load_bytes(skb, qname_off, buf->name, DNS_NAME_MAX - 1);
+                // Ensure null-termination
+                buf->name[DNS_NAME_MAX - 1] = '\0';
+            }
         } // end of dns response
     }
     return ret;

bpf/flows.c

@@ -118,6 +118,13 @@ static inline void update_dns(additional_metrics *extra_metrics, pkt_info *pkt,
         extra_metrics->dns_record.id = pkt->dns_id;
         extra_metrics->dns_record.flags = pkt->dns_flags;
         extra_metrics->dns_record.latency = pkt->dns_latency;
+        
+        // Copy DNS name from per-CPU buffer if available
+        u32 key = 0;
+        struct dns_parse_buffer *buf = bpf_map_lookup_elem(&dns_parse_buffer_map, &key);
+        if (buf) {
+            __builtin_memcpy(extra_metrics->dns_record.name, buf->name, DNS_NAME_MAX);
+        }
     }
     if (dns_errno != 0) {
         extra_metrics->dns_record.errno = dns_errno;
@@ -254,6 +261,13 @@ static inline int flow_monitor(struct __sk_buff *skb, u8 direction) {
             new_metrics.dns_record.flags = pkt.dns_flags;
             new_metrics.dns_record.latency = pkt.dns_latency;
             new_metrics.dns_record.errno = dns_errno;
+            
+            // Copy DNS name from per-CPU buffer if available
+            u32 key = 0;
+            struct dns_parse_buffer *buf = bpf_map_lookup_elem(&dns_parse_buffer_map, &key);
+            if (buf) {
+                __builtin_memcpy(new_metrics.dns_record.name, buf->name, DNS_NAME_MAX);
+            }
             long ret =
                 bpf_map_update_elem(&additional_flow_metrics, &id, &new_metrics, BPF_NOEXIST);
             if (ret != 0) {

bpf/types.h

@@ -70,6 +70,8 @@ typedef __u64 u64;
 #define OBSERVED_DIRECTION_BOTH 3
 
 #define MAX_PAYLOAD_SIZE 256
+// Max DNS name length (truncated if longer) - kept small for BPF limits
+#define DNS_NAME_MAX 32
 
 // according to field 61 in https://www.iana.org/assignments/ipfix/ipfix.xhtml
 typedef enum direction_t {
@@ -123,6 +125,7 @@ typedef struct additional_metrics_t {
         u16 id;
         u16 flags;
         u8 errno;
+        char name[DNS_NAME_MAX];
     } dns_record;
     struct pkt_drops_t {
         u64 bytes;

pkg/decode/decode_protobuf.go

@@ -26,6 +26,62 @@ const (
 type Protobuf struct {
 }
 
+// dnsNameToString converts a null-terminated C string (char array) to Go string
+func dnsNameToString[T ~byte | ~int8](arr []T) string {
+	n := 0
+	for ; n < len(arr); n++ {
+		if arr[n] == 0 {
+			break
+		}
+	}
+	// Convert to byte slice
+	b := make([]byte, n)
+	for i := 0; i < n; i++ {
+		b[i] = byte(arr[i])
+	}
+	return string(b)
+}
+
+// dnsRawNameToDotted parses a label-encoded DNS QNAME (raw bytes copied from kernel)
+// into a dotted string. Stops on NUL, compression pointer, or bounds.
+func dnsRawNameToDotted(rawI8 []int8) string {
+	// Convert to byte slice up to first NUL
+	b := make([]byte, 0, len(rawI8))
+	for i := 0; i < len(rawI8); i++ {
+		if rawI8[i] == 0 { // NUL terminator placed in kernel copy
+			break
+		}
+		b = append(b, byte(rawI8[i]))
+	}
+	if len(b) == 0 {
+		return ""
+	}
+	out := make([]byte, 0, len(b))
+	i := 0
+	first := true
+	for i < len(b) {
+		l := int(b[i])
+		if l == 0 {
+			break
+		}
+		// Stop on compression pointer (0xC0xx) since we didn't follow it in kernel
+		if (l & 0xC0) == 0xC0 {
+			break
+		}
+		i++
+		if i+l > len(b) {
+			break
+		}
+		if !first {
+			out = append(out, '.')
+		}
+		first = false
+		out = append(out, b[i:i+l]...)
+		i += l
+	}
+	return string(out)
+}
+
 func NewProtobuf() (*Protobuf, error) {
 	log.Debugf("entering NewProtobuf")
 	return &Protobuf{}, nil
@@ -120,6 +176,10 @@ func RecordToMap(fr *model.Record) config.GenericMap {
 			out["DnsFlags"] = fr.Metrics.AdditionalMetrics.DnsRecord.Flags
 			out["DnsFlagsResponseCode"] = DNSRcodeToStr(uint32(fr.Metrics.AdditionalMetrics.DnsRecord.Flags) & 0xF)
 			out["DnsLatencyMs"] = fr.DNSLatency.Milliseconds()
+			// Export DNS name if present (label-encoded copied from kernel)
+			if name := dnsRawNameToDotted(fr.Metrics.AdditionalMetrics.DnsRecord.Name[:]); name != "" {
+				out["DnsName"] = name
+			}
 		}
 
 		if fr.Metrics.AdditionalMetrics.PktDrops.LatestDropCause != 0 {