dns: Parse packet in user space #2544
Conversation
mauriciovasquezbernal
requested review from
alban and
blanquicet
as code owners
mauriciovasquezbernal
force-pushed
the
mauricio/parse-dns-userspace
branch
2 times, most recently
from
61d056b
to
48150fe
Compare
mauriciovasquezbernal
force-pushed
the
mauricio/parse-dns-userspace
branch
3 times, most recently
from
90702e9
to
452dea3
Compare
|
@mauriciovasquezbernal Thanks for the change. I tested this change in the following way:
./kubectl-gadget trace dns -A ✔
K8S.NODE K8S.NAMESPACE K8S.POD PID TID COMM QR TYPE QTYPE NAME RCODE NUMANS…
minikube-docker 97501 57694 dockerd Q OUTGOING A dc.services.visualstudio.co… 0
ERRO[0004] decoding dns layer: resource record length exceeds data
minikube-docker 0 0 R OUTGOING A dc.services.visualstudio.co… NoError 23
minikube-docker 71848 71849 isc-worker0000 R HOST A dc.services.visualstudio.co… NoError 23
minikube-docker 97501 57693 dockerd Q OUTGOING AAAA dc.services.visualstudio.co… 0
minikube-docker 97501 57693 dockerd R HOST AAAA dc.services.visualstudio.co… NoError 13
minikube-docker 0 0 R OUTGOING AAAA dc.services.visualstudio.co… NoError 13
minikube-docker 71910 71911 isc-worker0000 R HOST AAAA dc.services.visualstudio.co… NoError 13 |
mauriciovasquezbernal
force-pushed
the
mauricio/parse-dns-userspace
branch
from
452dea3
to
eec00f0
Compare
mauriciovasquezbernal
requested review from
eiffel-fl and
mqasimsarfraz
as code owners
mauriciovasquezbernal
force-pushed
the
mauricio/parse-dns-userspace
branch
3 times, most recently
from
3592eec
to
616a3d1
Compare
| // Map of DNS query to timestamp so we can calculate latency from query sent to answer received. | ||
| struct query_key_t { | ||
| __u64 pid_tgid; | ||
| __u16 id; | ||
| __u16 pad[3]; // this is needed, otherwise the verifier claims an invalid read from stack |
There was a problem hiding this comment.
Where exactly the verifier rejects the program?
When you this as a key? Or when you initialize it?
| // This is hardcoded for now as the datapath assumes the DNS packet is UDP over IPv4 | ||
| // without any options. Next iterations will fix this. | ||
| // Ethernet + IP + UDP | ||
| const dnsOff = 14 + 20 + 8 |
There was a problem hiding this comment.
Please, add some documentation and links on the why of these magical values.
There was a problem hiding this comment.
I think this is pretty clear that those are the size of the headers. I could add add links to the RFCs of those protocols but it's an overkill on my opinion.
There was a problem hiding this comment.
I could add add links to the RFCs of those protocols but it's an overkill on my opinion.
Documenting is never overkill, please add them.
| if !ok { | ||
| event.QType = "UNASSIGNED" | ||
| if len(dnsLayer.Questions) > 0 { | ||
| question := dnsLayer.Questions[0] |
There was a problem hiding this comment.
I do not understand something.
Before, we had this big array qTypeNames, now we rely on this golang package.
Sadly, the golang package does not define as many types as our previous array:
https://pkg.go.dev/github.com/google/gopacket@v1.1.19/layers#DNSType
So, are we loosing some types by using this package? Or before we defined more types than needed?
There was a problem hiding this comment.
Good question, I have no idea. I wanted to use gopacket as much as possible to parse this values as I think they are a good source of trust for that. @alban do you have any opinion here? Should we continue using our big array or switch to gopacket?
There was a problem hiding this comment.
IMO, it doesn't make sense to use gopacket parsing for some things and not for others. I agree gopacket is indeed a good source of truth, if we consider there is something missing, we should open a PR on gopacket instead of use a custom parsing. In this case in specific, honestly, I think people will mainly use the DNS gadget for tracing IPv4 and IPv6 request, and those are already included in the gopacket parsing. Said that, I suggest using the gopacket parsing also here.
mauriciovasquezbernal
force-pushed
the
mauricio/parse-dns-userspace
branch
from
616a3d1
to
c27a48c
Compare
There was a problem hiding this comment.
Hi!
It works on my side:
$ sudo ./ig trace dns mauricio/parse-dns-userspace % u=
RUNTIME.CONTAINERNAME PID TID COMM QR TYPE QTYPE NAME RCODE NUMANSW…
test-trace-dns 21188 21189 isc-net-0000 Q OUTGOING A inspektor-gadget.io. 0
test-trace-dns 21188 21189 isc-net-0000 R HOST A inspektor-gadget.io. No Error 2
$ uname -a mauricio/parse-dns-userspace % u=
Linux pwmachine 6.5.0-21-generic #21~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 9 13:32:52 UTC 2 x86_64 x86_64 x86_64 GNU/LinuxBut I still have some concerns regarding the DNS type.
Best regards.
| Rcode: "NXDomain", | ||
| Rcode: "Non-Existent Domain", |
There was a problem hiding this comment.
Should the width of the column be adapted?
pkg/gadgets/trace/dns/types/dns.go:
Rcode string `json:"rcode,omitempty" column:"rcode,minWidth:8"`
There was a problem hiding this comment.
I changed it to 12.
The current logic tries to parse the full DNS packet in eBPF. This is diffcult to do a imposes some limitations, like not supporting: - DNS over TCP - Uncompressed messages - More than 8 answers This commit changes approach to parce the DNS packet on user space. Signed-off-by: Mauricio Vásquez <mauriciov@microsoft.com>
mauriciovasquezbernal
force-pushed
the
mauricio/parse-dns-userspace
branch
from
c27a48c
to
d772f2e
Compare
|
Opened #2574 as a follow up work on this., |
TODO:
Fixes #2008