-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for DNS monitoring #203
Comments
Parsing DNS is quite tricky, I've implemented rfc 1035,3845,6762,6763 (the pain is real). Getting the parser right is a quite a lot of work.
Likely, I'm unsure about how common it is out on the wild, on the endpoint I'd be surprised if anyone is using TCP, the recursive resolver on the other side might. I think it's safe to say the first version should not bother with TCP.
I don't think we can make very good case of this, the encryption is in userland, so we can't really parse anything, I'm unsure if stub resolvers like the ones in glibc support it, I'm guessing it's uncommon enough. I can ask around, I have a good friend who is writing DNS stuff for a decade now.
Same as TLS.
I'd say no, that would involve parsing every packet in the system, and it would be a waste as DNS on non standard ports is virtually non-existant. edit: I wrote all above assuming we don't care about Zone Transfers and whatnot (where TCP/DNSSEC is more the norm), just client requests/replies. |
After consulting some people, TCP/DNSSEC it's likely something we can ignore, it's not something that normal endpoint users do, maybe a security enthusiast configures on his machine and whatnot, but I think we can ignore it. DNS@HTTPS has some momentum as firefox supports it (off by default), I doubt we could properly collect the data we want, since all we can see is the CONNECT like on the https body. I'm assuming we don't want to enter the world of uprobes (I don't). |
Another point worth considering is caching local resolvers. |
@haesbaert yeah, I assume we're going need to care about how the local cache is set up, but unless we want to use uprobes or something for that, I assume that will fall outside the scope of changes to this repo? |
Possibly, though if it's just doing DNS over AF_UNIX we could likely add it, but I suspect glibc@nss@systemd-resolver is actually talking through dbus and thus we can't do much. |
Impact
High
Epic/Meta Issue
No response
Planned Version
None
Description
So, we want Linux DNS support in endpoint, and part of that is going to be done here in ebpf. I'm making a lot of assumptions here, so feel free to correct me if there's something I'm missing. This is just a preliminary list of all the parts we'll need for DNS monitoring in this repo:
ip[4,6]_datagram_connect
,udp_destruct_sock
and others. Similar enough to existing network probes. The remaining question: do we want the probe to filter by port 53 here in ebpf, or should upstream components in endpoint do that?The text was updated successfully, but these errors were encountered: