Merge pull request #63031 from skrthomas/OSDOCS-6642

skrthomas · web-flow · commit f0c4caf348aa · 2023-09-28T12:36:10.000-04:00
OSDOCS-6642: DNS tracking Network Observability
diff --git a/modules/network-observability-dns-overview.adoc b/modules/network-observability-dns-overview.adoc
@@ -0,0 +1,22 @@
+// Module included in the following assemblies:
+//
+// network_observability/observing-network-traffic.adoc
+
+:_content-type: CONCEPT
+[id="network-observability-dns-overview_{context}"]
+= DNS tracking
+You can configure graphical representation of Domain Name System (DNS) tracking of network flows in the *Overview* view. Using DNS tracking with extended Berkeley Packet Filter (eBPF) tracepoint hooks can serve various purposes:
+
+* Network Monitoring: Gain insights into DNS queries and responses, helping network administrators identify unusual patterns, potential bottlenecks, or performance issues.
+
+* Security Analysis: Detect suspicious DNS activities, such as domain name generation algorithms (DGA) used by malware, or identify unauthorized DNS resolutions that might indicate a security breach.
+
+* Troubleshooting: Debug DNS-related issues by tracing DNS resolution steps, tracking latency, and identifying misconfigurations.
+
+When DNS tracking is enabled, you can see the following metrics represented in a chart in the *Overview*. See the _Additional Resources_ in this section for more information about enabling and working with this view.
+
+* Top 5 average DNS latencies
+* Top 5 DNS response code
+* Top 5 DNS response code stacked with total
+
+This feature is supported for IPv4 and IPv6 UDP protocol.
diff --git a/modules/network-observability-dns-tracking.adoc b/modules/network-observability-dns-tracking.adoc
@@ -0,0 +1,43 @@
+// Module included in the following assemblies:
+//
+// network_observability/observing-network-traffic.adoc
+
+:_content-type: PROCEDURE
+[id="network-observability-dns-tracking_{context}"]
+= Working with DNS tracking 
+Using DNS tracking, you can monitor your network, conduct security analysis, and troubleshoot DNS issues. You can track DNS by editing the `FlowCollector` to the specifications in the following YAML example.
++
+[IMPORTANT]
+====
+CPU and memory usage increases are observed in the eBPF agent when this feature is enabled.
+====
+.Procedure
+. In the web console, navigate to *Operators* -> *Installed Operators*.
+. Under the *Provided APIs* heading for the *NetObserv Operator*, select *Flow Collector*. 
+. Select *cluster* then select the *YAML* tab.
+. Configure the `FlowCollector` custom resource. A sample configuration is as follows:
++
+[id="network-observability-flowcollector-configuring-dns_{context}"]
+.Configure `FlowCollector` for DNS tracking
+[source, yaml]
+----
+apiVersion: flows.netobserv.io/v1alpha1
+kind: FlowCollector
+metadata:
+  name: cluster
+namespace: netobserv
+  deploymentModel: DIRECT
+  agent:
+    type: EBPF
+    ebpf:
+      features:
+      - DNSTracking           <1>                       
+      privileged: true        <2>
+----
+<1> You can set the `spec.agent.ebpf.features` parameter list to enable DNS tracking of each network flow in the web console.
+<2> Note that the `spec.agent.ebpf.privileged` specification value must be `true` for packet drop tracking to be enabled.
+
+. When you refresh the *Network Traffic* page, there are new DNS representations you can choose to view in the *Overview* and *Traffic Flow* views and new filters you can apply.
+.. Select new DNS choices in *Manage panels* to display graphical visualizations and DNS metrics in the *Overview*.
+.. Select new choices in *Manage columns* to add DNS columns to the *Traffic Flows* view.
+.. Filter on specific DNS metrics, such as *DNS Id*, *DNS Latency* and *DNS Response Code*, and see more information from the side panel.
diff --git a/networking/network_observability/observing-network-traffic.adoc b/networking/network_observability/observing-network-traffic.adoc
@@ -18,13 +18,19 @@ include::modules/network-observability-pktdrop-overview.adoc[leveloffset=+3]
 .Additional resources
 * For more information about configuring packet drops in the `FlowCollector`, see xref:../network_observability/observing-network-traffic.adoc#network-observability-packet-drops_nw-observe-network-traffic[Working with packet drops].
 
+include::modules/network-observability-dns-overview.adoc[leveloffset=+3]
+
+[role="_additional-resources"]
+.Additional resources
+* For more information about configuring DNS in the `FlowCollector`, see xref:../network_observability/observing-network-traffic.adoc#network-observability-dns-tracking_nw-observe-network-traffic[Working with DNS tracking].
 
 //Traffic flows
 include::modules/network-observability-trafficflow.adoc[leveloffset=+1]
 include::modules/network-observability-working-with-trafficflow.adoc[leveloffset=+2]
 include::modules/network-observability-configuring-options-trafficflow.adoc[leveloffset=+2]
 include::modules/network-observability-working-with-conversations.adoc[leveloffset=+2]
 include::modules/network-observability-packet-drops.adoc[leveloffset=+2]
+include::modules/network-observability-dns-tracking.adoc[leveloffset=+2]
 include::modules/network-observability-histogram-trafficflow.adoc[leveloffset=+2]
 
 //Topology
