netobserv
diff --git a/‎.mk/bc.mk‎
Lines changed: 1 addition & 0 deletions b/‎.mk/bc.mk‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎bpf/dns_tracker.h‎
Lines changed: 10 additions & 0 deletions b/‎bpf/dns_tracker.h‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎bpf/flows.c‎
Lines changed: 2 additions & 0 deletions b/‎bpf/flows.c‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎bpf/types.h‎
Lines changed: 3 additions & 0 deletions b/‎bpf/types.h‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎pkg/decode/decode_protobuf.go‎
Lines changed: 43 additions & 0 deletions b/‎pkg/decode/decode_protobuf.go‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎pkg/ebpf/bpf_arm64_bpfel.go‎
Lines changed: 1 addition & 0 deletions b/‎pkg/ebpf/bpf_arm64_bpfel.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎pkg/ebpf/bpf_arm64_bpfel.o‎
2.48 KB b/‎pkg/ebpf/bpf_arm64_bpfel.o‎
2.48 KB
diff --git a/‎pkg/ebpf/bpf_powerpc_bpfel.go‎
Lines changed: 1 addition & 0 deletions b/‎pkg/ebpf/bpf_powerpc_bpfel.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎pkg/ebpf/bpf_powerpc_bpfel.o‎
2.48 KB b/‎pkg/ebpf/bpf_powerpc_bpfel.o‎
2.48 KB
diff --git a/‎pkg/ebpf/bpf_s390_bpfeb.go‎
Lines changed: 1 addition & 0 deletions b/‎pkg/ebpf/bpf_s390_bpfeb.go‎
Lines changed: 1 addition & 0 deletions
@@ -34,6 +34,7 @@ define MAPS
 	"additional_flow_metrics":"per_cpu_hash",
 	"packet_record":"ringbuf",
 	"dns_flows":"hash",
+	"dns_parse_buffer_map":"percpu_array",
 	"global_counters":"per_cpu_array",
 	"filter_map":"lpm_trie",
 	"peer_filter_map":"lpm_trie",
 
@@ -8,6 +8,8 @@
 
 #define DNS_DEFAULT_PORT 53
 #define DNS_QR_FLAG 0x8000
+#define DNS_OPCODE_MASK 0x7800
+#define DNS_RCODE_MASK 0x0F
 #define UDP_MAXMSG 512
 
 // See https://www.rfc-editor.org/rfc/rfc1035 4.1.1. Header section format
@@ -108,6 +110,14 @@ static __always_inline int track_dns_packet(struct __sk_buff *skb, pkt_info *pkt
             }
             pkt->dns_id = dns_id;
             pkt->dns_flags = flags;
+
+            // Copy raw QNAME bytes (label-encoded) and let userspace decode to dotted form
+            __builtin_memset(pkt->dns_name, 0, DNS_NAME_MAX_LEN);
+            u32 qname_off = dns_offset + sizeof(struct dns_header);
+            // Best-effort fixed-size copy; safe for verifier (constant size)
+            (void)bpf_skb_load_bytes(skb, qname_off, pkt->dns_name, DNS_NAME_MAX_LEN - 1);
+            // Ensure null-termination
+            pkt->dns_name[DNS_NAME_MAX_LEN - 1] = '\0';
         } // end of dns response
     }
     return ret;
 
@@ -118,6 +118,7 @@ static inline void update_dns(additional_metrics *extra_metrics, pkt_info *pkt,
         extra_metrics->dns_record.id = pkt->dns_id;
         extra_metrics->dns_record.flags = pkt->dns_flags;
         extra_metrics->dns_record.latency = pkt->dns_latency;
+        __builtin_memcpy(extra_metrics->dns_record.name, pkt->dns_name, DNS_NAME_MAX_LEN);
     }
     if (dns_errno != 0) {
         extra_metrics->dns_record.errno = dns_errno;
@@ -253,6 +254,7 @@ static inline int flow_monitor(struct __sk_buff *skb, u8 direction) {
             new_metrics.dns_record.id = pkt.dns_id;
             new_metrics.dns_record.flags = pkt.dns_flags;
             new_metrics.dns_record.latency = pkt.dns_latency;
+            __builtin_memcpy(new_metrics.dns_record.name, pkt.dns_name, DNS_NAME_MAX_LEN);
             new_metrics.dns_record.errno = dns_errno;
             long ret =
                 bpf_map_update_elem(&additional_flow_metrics, &id, &new_metrics, BPF_NOEXIST);
 
@@ -70,6 +70,7 @@ typedef __u64 u64;
 #define OBSERVED_DIRECTION_BOTH 3
 
 #define MAX_PAYLOAD_SIZE 256
+#define DNS_NAME_MAX_LEN 32
 
 // according to field 61 in https://www.iana.org/assignments/ipfix/ipfix.xhtml
 typedef enum direction_t {
@@ -123,6 +124,7 @@ typedef struct additional_metrics_t {
         u16 id;
         u16 flags;
         u8 errno;
+        char name[DNS_NAME_MAX_LEN];
     } dns_record;
     struct pkt_drops_t {
         u64 bytes;
@@ -192,6 +194,7 @@ typedef struct pkt_info_t {
     u16 dns_id;
     u16 dns_flags;
     u64 dns_latency;
+    char dns_name[DNS_NAME_MAX_LEN];
 } pkt_info;
 
 // Structure for payload metadata
 
@@ -26,6 +26,46 @@ const (
 type Protobuf struct {
 }
 
+// dnsRawNameToDotted parses a label-encoded DNS QNAME (raw bytes copied from kernel)
+// into a dotted string. Stops on NUL, compression pointer, or bounds.
+func dnsRawNameToDotted(rawI8 []int8) string {
+	// Convert to byte slice up to first NUL
+	b := make([]byte, 0, len(rawI8))
+	for i := 0; i < len(rawI8); i++ {
+		if rawI8[i] == 0 { // NUL terminator placed in kernel copy
+			break
+		}
+		b = append(b, byte(rawI8[i]))
+	}
+	if len(b) == 0 {
+		return ""
+	}
+	out := make([]byte, 0, len(b))
+	i := 0
+	first := true
+	for i < len(b) {
+		l := int(b[i])
+		if l == 0 {
+			break
+		}
+		// Stop on compression pointer (0xC0xx) since we didn't follow it in kernel
+		if (l & 0xC0) == 0xC0 {
+			break
+		}
+		i++
+		if i+l > len(b) {
+			break
+		}
+		if !first {
+			out = append(out, '.')
+		}
+		first = false
+		out = append(out, b[i:i+l]...)
+		i += l
+	}
+	return string(out)
+}
+
 func NewProtobuf() (*Protobuf, error) {
 	log.Debugf("entering NewProtobuf")
 	return &Protobuf{}, nil
@@ -120,6 +160,9 @@ func RecordToMap(fr *model.Record) config.GenericMap {
 			out["DnsFlags"] = fr.Metrics.AdditionalMetrics.DnsRecord.Flags
 			out["DnsFlagsResponseCode"] = DNSRcodeToStr(uint32(fr.Metrics.AdditionalMetrics.DnsRecord.Flags) & 0xF)
 			out["DnsLatencyMs"] = fr.DNSLatency.Milliseconds()
+			if name := dnsRawNameToDotted(fr.Metrics.AdditionalMetrics.DnsRecord.Name[:]); name != "" {
+				out["DnsName"] = name
+			}
 		}
 
 		if fr.Metrics.AdditionalMetrics.PktDrops.LatestDropCause != 0 {