dns name

Author: jpinsonneau

bpf/dns_tracker.h

@@ -8,6 +8,8 @@
 
 #define DNS_DEFAULT_PORT 53
 #define DNS_QR_FLAG 0x8000
+#define DNS_OPCODE_MASK 0x7800
+#define DNS_RCODE_MASK 0x0F
 #define UDP_MAXMSG 512
 
 // See https://www.rfc-editor.org/rfc/rfc1035 4.1.1. Header section format
@@ -108,6 +110,14 @@ static __always_inline int track_dns_packet(struct __sk_buff *skb, pkt_info *pkt
             }
             pkt->dns_id = dns_id;
             pkt->dns_flags = flags;
+
+            // Copy raw QNAME bytes (label-encoded) and let userspace decode to dotted form
+            __builtin_memset(pkt->dns_name, 0, DNS_NAME_MAX_LEN);
+            u32 qname_off = dns_offset + sizeof(struct dns_header);
+            // Best-effort fixed-size copy; safe for verifier (constant size)
+            (void)bpf_skb_load_bytes(skb, qname_off, pkt->dns_name, DNS_NAME_MAX_LEN - 1);
+            // Ensure null-termination
+            pkt->dns_name[DNS_NAME_MAX_LEN - 1] = '\0';
         } // end of dns response
     }
     return ret;

bpf/flows.c

@@ -118,6 +118,7 @@ static inline void update_dns(additional_metrics *extra_metrics, pkt_info *pkt,
         extra_metrics->dns_record.id = pkt->dns_id;
         extra_metrics->dns_record.flags = pkt->dns_flags;
         extra_metrics->dns_record.latency = pkt->dns_latency;
+        __builtin_memcpy(extra_metrics->dns_record.name, pkt->dns_name, DNS_NAME_MAX_LEN);
     }
     if (dns_errno != 0) {
         extra_metrics->dns_record.errno = dns_errno;
@@ -253,6 +254,7 @@ static inline int flow_monitor(struct __sk_buff *skb, u8 direction) {
             new_metrics.dns_record.id = pkt.dns_id;
             new_metrics.dns_record.flags = pkt.dns_flags;
             new_metrics.dns_record.latency = pkt.dns_latency;
+            __builtin_memcpy(new_metrics.dns_record.name, pkt.dns_name, DNS_NAME_MAX_LEN);
             new_metrics.dns_record.errno = dns_errno;
             long ret =
                 bpf_map_update_elem(&additional_flow_metrics, &id, &new_metrics, BPF_NOEXIST);

bpf/types.h

@@ -70,6 +70,7 @@ typedef __u64 u64;
 #define OBSERVED_DIRECTION_BOTH 3
 
 #define MAX_PAYLOAD_SIZE 256
+#define DNS_NAME_MAX_LEN 32
 
 // according to field 61 in https://www.iana.org/assignments/ipfix/ipfix.xhtml
 typedef enum direction_t {
@@ -123,6 +124,7 @@ typedef struct additional_metrics_t {
         u16 id;
         u16 flags;
         u8 errno;
+        char name[DNS_NAME_MAX_LEN];
     } dns_record;
     struct pkt_drops_t {
         u64 bytes;
@@ -192,6 +194,7 @@ typedef struct pkt_info_t {
     u16 dns_id;
     u16 dns_flags;
     u64 dns_latency;
+    char dns_name[DNS_NAME_MAX_LEN];
 } pkt_info;
 
 // Structure for payload metadata

pkg/decode/decode_protobuf.go

@@ -8,6 +8,7 @@ import (
 	"github.com/netobserv/flowlogs-pipeline/pkg/config"
 	"github.com/netobserv/netobserv-ebpf-agent/pkg/model"
 	"github.com/netobserv/netobserv-ebpf-agent/pkg/pbflow"
+	"github.com/netobserv/netobserv-ebpf-agent/pkg/utils"
 
 	"github.com/mdlayher/ethernet"
 	log "github.com/sirupsen/logrus"
@@ -120,6 +121,9 @@ func RecordToMap(fr *model.Record) config.GenericMap {
 			out["DnsFlags"] = fr.Metrics.AdditionalMetrics.DnsRecord.Flags
 			out["DnsFlagsResponseCode"] = DNSRcodeToStr(uint32(fr.Metrics.AdditionalMetrics.DnsRecord.Flags) & 0xF)
 			out["DnsLatencyMs"] = fr.DNSLatency.Milliseconds()
+			if name := utils.DNSRawNameToDotted(fr.Metrics.AdditionalMetrics.DnsRecord.Name[:]); name != "" {
+				out["DnsName"] = name
+			}
 		}
 
 		if fr.Metrics.AdditionalMetrics.PktDrops.LatestDropCause != 0 {

pkg/decode/decode_protobuf_test.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/netobserv/flowlogs-pipeline/pkg/config"
 	"github.com/netobserv/netobserv-ebpf-agent/pkg/pbflow"
+	"github.com/netobserv/netobserv-ebpf-agent/pkg/utils"
 
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/protobuf/types/known/durationpb"
@@ -62,6 +63,7 @@ func TestPBFlowToMap(t *testing.T) {
 		PktDropLatestDropCause: 4,
 		DnsLatency:             durationpb.New(someDuration),
 		DnsId:                  1,
+		DnsName:                "www.example.com",
 		DnsFlags:               0x80,
 		DnsErrno:               0,
 		TimeFlowRtt:            durationpb.New(someDuration),
@@ -129,6 +131,7 @@ func TestPBFlowToMap(t *testing.T) {
 		"PktDropLatestDropCause": "SKB_DROP_REASON_PKT_TOO_SMALL",
 		"DnsLatencyMs":           someDuration.Milliseconds(),
 		"DnsId":                  uint16(1),
+		"DnsName":                "www.example.com",
 		"DnsFlags":               uint16(0x80),
 		"DnsFlagsResponseCode":   "NoError",
 		"TimeFlowRttNs":          someDuration.Nanoseconds(),
@@ -157,3 +160,117 @@ func TestPBFlowToMap(t *testing.T) {
 		"IPSecStatus":  "success",
 	}, out)
 }
+
+func TestDnsRawNameToDotted(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    []int8
+		expected string
+	}{
+		{
+			name:     "empty input",
+			input:    []int8{},
+			expected: "",
+		},
+		{
+			name:     "null terminated empty",
+			input:    []int8{0},
+			expected: "",
+		},
+		{
+			name:     "simple single label",
+			input:    []int8{3, 'a', 'b', 'c', 0},
+			expected: "abc",
+		},
+		{
+			name:     "multiple labels",
+			input:    []int8{3, 'a', 'b', 'c', 3, 'd', 'e', 'f', 0},
+			expected: "abc.def",
+		},
+		{
+			name:     "root domain",
+			input:    []int8{0},
+			expected: "",
+		},
+		{
+			name:     "realistic domain name",
+			input:    []int8{3, 'w', 'w', 'w', 7, 'e', 'x', 'a', 'm', 'p', 'l', 'e', 3, 'c', 'o', 'm', 0},
+			expected: "www.example.com",
+		},
+		{
+			name:     "compression pointer stops parsing",
+			input:    []int8{3, 'a', 'b', 'c', -64, 0x12, 0}, // 0xC0 = -64 in int8
+			expected: "abc",
+		},
+		{
+			name:     "compression pointer at start",
+			input:    []int8{-64, 0x12}, // 0xC0 = -64 in int8
+			expected: "",
+		},
+		{
+			name:     "length exceeds buffer",
+			input:    []int8{10, 'a', 'b', 'c'},
+			expected: "",
+		},
+		{
+			name:     "zero length label",
+			input:    []int8{0, 3, 'a', 'b', 'c', 0},
+			expected: "",
+		},
+		{
+			name:     "null terminator in middle",
+			input:    []int8{3, 'a', 'b', 0, 3, 'd', 'e', 'f', 0},
+			expected: "",
+		},
+		{
+			name:     "single character labels",
+			input:    []int8{1, 'a', 1, 'b', 1, 'c', 0},
+			expected: "a.b.c",
+		},
+		{
+			name:     "long label",
+			input:    []int8{10, 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 0},
+			expected: "abcdefghij",
+		},
+		{
+			name:     "mixed case",
+			input:    []int8{3, 'A', 'b', 'C', 3, 'D', 'e', 'F', 0},
+			expected: "AbC.DeF",
+		},
+		{
+			name:     "numbers and special chars",
+			input:    []int8{5, 't', 'e', 's', 't', '1', 3, 'a', 'b', 'c', 0},
+			expected: "test1.abc",
+		},
+		{
+			name:     "incomplete label at end",
+			input:    []int8{3, 'a', 'b', 'c', 5, 'd', 'e'},
+			expected: "abc",
+		},
+		{
+			name:     "multiple compression pointers",
+			input:    []int8{3, 'a', 'b', 'c', -64, 0x12, -64, 0x34, 0}, // 0xC0 = -64 in int8
+			expected: "abc",
+		},
+		{
+			name: "very long input with early null",
+			input: func() []int8 {
+				result := make([]int8, 1000)
+				result[0] = 3
+				result[1] = 'a'
+				result[2] = 'b'
+				result[3] = 'c'
+				result[4] = 0
+				return result
+			}(),
+			expected: "abc",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := utils.DNSRawNameToDotted(tt.input)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}