netobserv · jpinsonneau · Oct 28, 2025
diff --git a/bpf/dns_tracker.h b/bpf/dns_tracker.h
@@ -108,6 +108,14 @@ static __always_inline int track_dns_packet(struct __sk_buff *skb, pkt_info *pkt
             }
             pkt->dns_id = dns_id;
             pkt->dns_flags = flags;
+
+            // Copy raw QNAME bytes (label-encoded) and let userspace decode to dotted form
+            __builtin_memset(pkt->dns_name, 0, DNS_NAME_MAX_LEN);
+            u32 qname_off = dns_offset + sizeof(struct dns_header);
+            // Best-effort fixed-size copy; safe for verifier (constant size)
+            (void)bpf_skb_load_bytes(skb, qname_off, pkt->dns_name, DNS_NAME_MAX_LEN - 1);
+            // Ensure null-termination
+            pkt->dns_name[DNS_NAME_MAX_LEN - 1] = '\0';
         } // end of dns response
     }
     return ret;

diff --git a/bpf/flows.c b/bpf/flows.c
@@ -118,6 +118,7 @@ static inline void update_dns(additional_metrics *extra_metrics, pkt_info *pkt,
         extra_metrics->dns_record.id = pkt->dns_id;
         extra_metrics->dns_record.flags = pkt->dns_flags;
         extra_metrics->dns_record.latency = pkt->dns_latency;
+        __builtin_memcpy(extra_metrics->dns_record.name, pkt->dns_name, DNS_NAME_MAX_LEN);
     }
     if (dns_errno != 0) {
         extra_metrics->dns_record.errno = dns_errno;
@@ -253,6 +254,7 @@ static inline int flow_monitor(struct __sk_buff *skb, u8 direction) {
             new_metrics.dns_record.id = pkt.dns_id;
             new_metrics.dns_record.flags = pkt.dns_flags;
             new_metrics.dns_record.latency = pkt.dns_latency;
+            __builtin_memcpy(new_metrics.dns_record.name, pkt.dns_name, DNS_NAME_MAX_LEN);
             new_metrics.dns_record.errno = dns_errno;
             long ret =
                 bpf_map_update_elem(&additional_flow_metrics, &id, &new_metrics, BPF_NOEXIST);

diff --git a/bpf/types.h b/bpf/types.h
@@ -70,6 +70,7 @@ typedef __u64 u64;
 #define OBSERVED_DIRECTION_BOTH 3
 
 #define MAX_PAYLOAD_SIZE 256
+#define DNS_NAME_MAX_LEN 32
 
 // according to field 61 in https://www.iana.org/assignments/ipfix/ipfix.xhtml
 typedef enum direction_t {
@@ -123,6 +124,7 @@ typedef struct additional_metrics_t {
         u16 id;
         u16 flags;
         u8 errno;
+        char name[DNS_NAME_MAX_LEN];
     } dns_record;
     struct pkt_drops_t {
         u64 bytes;
@@ -192,6 +194,7 @@ typedef struct pkt_info_t {
     u16 dns_id;
     u16 dns_flags;
     u64 dns_latency;
+    char dns_name[DNS_NAME_MAX_LEN];
 } pkt_info;
 
 // Structure for payload metadata

diff --git a/pkg/decode/decode_protobuf.go b/pkg/decode/decode_protobuf.go
@@ -8,6 +8,7 @@ import (
 	"github.com/netobserv/flowlogs-pipeline/pkg/config"
 	"github.com/netobserv/netobserv-ebpf-agent/pkg/model"
 	"github.com/netobserv/netobserv-ebpf-agent/pkg/pbflow"
+	"github.com/netobserv/netobserv-ebpf-agent/pkg/utils"
 
 	"github.com/mdlayher/ethernet"
 	log "github.com/sirupsen/logrus"
@@ -120,6 +121,9 @@ func RecordToMap(fr *model.Record) config.GenericMap {
 			out["DnsFlags"] = fr.Metrics.AdditionalMetrics.DnsRecord.Flags
 			out["DnsFlagsResponseCode"] = DNSRcodeToStr(uint32(fr.Metrics.AdditionalMetrics.DnsRecord.Flags) & 0xF)
 			out["DnsLatencyMs"] = fr.DNSLatency.Milliseconds()
+			if name := utils.DNSRawNameToDotted(fr.Metrics.AdditionalMetrics.DnsRecord.Name[:]); name != "" {
+				out["DnsName"] = name
+			}
 		}
 
 		if fr.Metrics.AdditionalMetrics.PktDrops.LatestDropCause != 0 {

diff --git a/pkg/decode/decode_protobuf_test.go b/pkg/decode/decode_protobuf_test.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/netobserv/flowlogs-pipeline/pkg/config"
 	"github.com/netobserv/netobserv-ebpf-agent/pkg/pbflow"
+	"github.com/netobserv/netobserv-ebpf-agent/pkg/utils"
 
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/protobuf/types/known/durationpb"
@@ -62,6 +63,7 @@ func TestPBFlowToMap(t *testing.T) {
 		PktDropLatestDropCause: 4,
 		DnsLatency:             durationpb.New(someDuration),
 		DnsId:                  1,
+		DnsName:                "www.example.com",
 		DnsFlags:               0x80,
 		DnsErrno:               0,
 		TimeFlowRtt:            durationpb.New(someDuration),
@@ -129,6 +131,7 @@ func TestPBFlowToMap(t *testing.T) {
 		"PktDropLatestDropCause": "SKB_DROP_REASON_PKT_TOO_SMALL",
 		"DnsLatencyMs":           someDuration.Milliseconds(),
 		"DnsId":                  uint16(1),
+		"DnsName":                "www.example.com",
 		"DnsFlags":               uint16(0x80),
 		"DnsFlagsResponseCode":   "NoError",
 		"TimeFlowRttNs":          someDuration.Nanoseconds(),
@@ -157,3 +160,117 @@ func TestPBFlowToMap(t *testing.T) {
 		"IPSecStatus":  "success",
 	}, out)
 }
+
+func TestDnsRawNameToDotted(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    []int8
+		expected string
+	}{
+		{
+			name:     "empty input",
+			input:    []int8{},
+			expected: "",
+		},
+		{
+			name:     "null terminated empty",
+			input:    []int8{0},
+			expected: "",
+		},
+		{
+			name:     "simple single label",
+			input:    []int8{3, 'a', 'b', 'c', 0},
+			expected: "abc",
+		},
+		{
+			name:     "multiple labels",
+			input:    []int8{3, 'a', 'b', 'c', 3, 'd', 'e', 'f', 0},
+			expected: "abc.def",
+		},
+		{
+			name:     "root domain",
+			input:    []int8{0},
+			expected: "",
+		},
+		{
+			name:     "realistic domain name",
+			input:    []int8{3, 'w', 'w', 'w', 7, 'e', 'x', 'a', 'm', 'p', 'l', 'e', 3, 'c', 'o', 'm', 0},
+			expected: "www.example.com",
+		},
+		{
+			name:     "compression pointer stops parsing",
+			input:    []int8{3, 'a', 'b', 'c', -64, 0x12, 0}, // 0xC0 = -64 in int8
+			expected: "abc",
+		},
+		{
+			name:     "compression pointer at start",
+			input:    []int8{-64, 0x12}, // 0xC0 = -64 in int8
+			expected: "",
+		},
+		{
+			name:     "length exceeds buffer",
+			input:    []int8{10, 'a', 'b', 'c'},
+			expected: "",
+		},
+		{
+			name:     "zero length label",
+			input:    []int8{0, 3, 'a', 'b', 'c', 0},
+			expected: "",
+		},
+		{
+			name:     "null terminator in middle",
+			input:    []int8{3, 'a', 'b', 0, 3, 'd', 'e', 'f', 0},
+			expected: "",
+		},
+		{
+			name:     "single character labels",
+			input:    []int8{1, 'a', 1, 'b', 1, 'c', 0},
+			expected: "a.b.c",
+		},
+		{
+			name:     "long label",
+			input:    []int8{10, 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 0},
+			expected: "abcdefghij",
+		},
+		{
+			name:     "mixed case",
+			input:    []int8{3, 'A', 'b', 'C', 3, 'D', 'e', 'F', 0},
+			expected: "AbC.DeF",
+		},
+		{
+			name:     "numbers and special chars",
+			input:    []int8{5, 't', 'e', 's', 't', '1', 3, 'a', 'b', 'c', 0},
+			expected: "test1.abc",
+		},
+		{
+			name:     "incomplete label at end",
+			input:    []int8{3, 'a', 'b', 'c', 5, 'd', 'e'},
+			expected: "abc",
+		},
+		{
+			name:     "multiple compression pointers",
+			input:    []int8{3, 'a', 'b', 'c', -64, 0x12, -64, 0x34, 0}, // 0xC0 = -64 in int8
+			expected: "abc",
+		},
+		{
+			name: "very long input with early null",
+			input: func() []int8 {
+				result := make([]int8, 1000)
+				result[0] = 3
+				result[1] = 'a'
+				result[2] = 'b'
+				result[3] = 'c'
+				result[4] = 0
+				return result
+			}(),
+			expected: "abc",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := utils.DNSRawNameToDotted(tt.input)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
diff --git a/pkg/ebpf/bpf_arm64_bpfel.go b/pkg/ebpf/bpf_arm64_bpfel.go
diff --git a/pkg/ebpf/bpf_arm64_bpfel.o b/pkg/ebpf/bpf_arm64_bpfel.o
diff --git a/pkg/ebpf/bpf_powerpc_bpfel.go b/pkg/ebpf/bpf_powerpc_bpfel.go
diff --git a/pkg/ebpf/bpf_powerpc_bpfel.o b/pkg/ebpf/bpf_powerpc_bpfel.o
diff --git a/pkg/ebpf/bpf_s390_bpfeb.go b/pkg/ebpf/bpf_s390_bpfeb.go
diff --git a/pkg/ebpf/bpf_s390_bpfeb.o b/pkg/ebpf/bpf_s390_bpfeb.o
diff --git a/pkg/ebpf/bpf_x86_bpfel.go b/pkg/ebpf/bpf_x86_bpfel.go
diff --git a/pkg/ebpf/bpf_x86_bpfel.o b/pkg/ebpf/bpf_x86_bpfel.o
diff --git a/pkg/exporter/converters_test.go b/pkg/exporter/converters_test.go
@@ -338,6 +338,7 @@ func TestConversions(t *testing.T) {
 						DnsRecord: ebpf.BpfDnsRecordT{
 							Latency: uint64(someDuration),
 							Id:      1,
+							Name:    [32]int8{3, 'w', 'w', 'w', 7, 'e', 'x', 'a', 'm', 'p', 'l', 'e', 3, 'c', 'o', 'm', 0},
 							Flags:   0x8001,
 							Errno:   0,
 						},
@@ -384,6 +385,7 @@ func TestConversions(t *testing.T) {
 				"PktDropLatestDropCause": "SKB_DROP_REASON_TCP_CSUM",
 				"DnsLatencyMs":           someDuration.Milliseconds(),
 				"DnsId":                  1,
+				"DnsName":                "www.example.com",
 				"DnsFlags":               0x8001,
 				"DnsFlagsResponseCode":   "FormErr",
 				"TimeFlowRttNs":          someDuration.Nanoseconds(),

diff --git a/pkg/model/record_test.go b/pkg/model/record_test.go
@@ -115,7 +115,10 @@ func TestAdditionalMetricsBinaryEncoding(t *testing.T) {
 		0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, // latency
 		01, 00, // id
 		0x80, 00, // flags
-		0x00,             // errno
+		0x00, // errno
+		// name (32 bytes)
+		't', 'e', 's', 't', '.', 'e', 'x', 'a', 'm', 'p', 'l', 'e', '.', 'c', 'o', 'm',
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 		0x00, 0x00, 0x00, // 3 bytes padding
 		// pkt_drops structure
 		0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, // u64 bytes
@@ -160,6 +163,7 @@ func TestAdditionalMetricsBinaryEncoding(t *testing.T) {
 			Flags:   0x0080,
 			Latency: 0x1817161514131211,
 			Errno:   0,
+			Name:    [32]int8{'t', 'e', 's', 't', '.', 'e', 'x', 'a', 'm', 'p', 'l', 'e', '.', 'c', 'o', 'm'},
 		},
 		FlowRtt:          0xdeadbeefbeefdead,
 		NetworkEventsIdx: 1,