chore: no longer correlate other events to dns events (#11)

Currently we try to correlate other connections with hostnames from
recent dns events. This winds up error prone and can cause surprising
and incorrect correlations. This removes that functionality in favor of
just printing out DNS traffic we see.

Author: mikhailswift

bpf/counter.c

@@ -92,7 +92,12 @@ struct {
 static const __u8 ip4in6[] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff};
 
 typedef struct udp_pkt_t {
+  struct in6_addr srcip;    // source IPv6 address
+  struct in6_addr dstip;    // destination IPv6 address
+  __u16 src_port;           // source port
+  __u16 dst_port;
   pid_t pid;
+  char comm[TASK_COMM_LEN];
   unsigned char pkt[MAX_PKT];
 } udp_pkt;
 
@@ -717,12 +722,17 @@ static inline void process_udp_recv(struct sk_buff *skb, statkey *key,
     }
 
     data->pid = pid;
+    data->src_port = key->src_port;
+    data->dst_port = key->dst_port;
     unsigned char *pktdata = BPF_CORE_READ(skb, data);
     size_t buflen = BPF_CORE_READ(skb, len);
     if (buflen > MAX_PKT) {
         buflen = MAX_PKT;
     }
 
+    __builtin_memcpy(&data->srcip, &key->srcip, sizeof(struct in6_addr));
+    __builtin_memcpy(&data->dstip, &key->dstip, sizeof(struct in6_addr));
+    __builtin_memcpy(&data->comm, &key->comm, sizeof(data->comm));
     bpf_core_read(&data->pkt, buflen, pktdata);
     bpf_ringbuf_submit(data, 0);
   }

counter_arm64_bpfel.go

@@ -7,18 +7,27 @@ import (
 	"errors"
 	"fmt"
 	"log"
-	"sync"
+	"time"
 
 	"github.com/cilium/ebpf/ringbuf"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 )
 
-func processUDPPackets(ctx context.Context, reader *ringbuf.Reader, dnsLookupMap map[uint32]string, dnsLookupMapMutex *sync.RWMutex) {
+func processUDPPackets(ctx context.Context, reader *ringbuf.Reader) {
+	seenDNSPackets := map[statEntry]struct{}{}
+	resetSeenPacketsTick := time.NewTicker(time.Minute)
+	defer resetSeenPacketsTick.Stop()
+
 	for {
 		select {
 		case <-ctx.Done():
 			return
+		case <-resetSeenPacketsTick.C:
+			// Reset the seenDNSPacketIDs map every once in a while so it doesn't grow unbounded,
+			// as well the unlikely case a random ID gets re-used. There is a small chance we reset
+			// this in between processing packets that would result in a duplicate entry, but that's fine.
+			seenDNSPackets = map[statEntry]struct{}{}
 		default:
 			record, err := reader.Read()
 			if err != nil {
@@ -52,10 +61,36 @@ func processUDPPackets(ctx context.Context, reader *ringbuf.Reader, dnsLookupMap
 				log.Printf("Skipping dns packet: no questions")
 			}
 
-			// just grab the first question for now
-			dnsLookupMapMutex.Lock()
-			dnsLookupMap[uint32(udpPktDetails.Pid)] = string(dnsLayer.Questions[0].Name)
-			dnsLookupMapMutex.Unlock()
+			entry := statEntry{
+				SrcPort:       udpPktDetails.SrcPort,
+				SrcIP:         bytesToAddr(udpPktDetails.Srcip.In6U.U6Addr8),
+				DstPort:       udpPktDetails.DstPort,
+				DstIP:         bytesToAddr(udpPktDetails.Dstip.In6U.U6Addr8),
+				Proto:         "UDP",
+				Pid:           udpPktDetails.Pid,
+				Comm:          comm2String(udpPktDetails.Comm[:]),
+				DNSQueryName:  string(dnsLayer.Questions[0].Name),
+				LikelyService: "dns",
+			}
+
+			if getKubeClient() != nil {
+				entry.SourcePod = lookupPodForIP(entry.SrcIP)
+				entry.DstPod = lookupPodForIP(entry.DstIP)
+			}
+
+			// Currently we see the same DNS packet make it's journey from the originating process,
+			// to the local dns resolver, and on it's way out of the VM's network. This results in
+			// quite a few duplicate events being printed to stdout. So check if this would cause
+			// a duplicate output and skip printing it if so.
+			if _, ok := seenDNSPackets[entry]; ok {
+				log.Printf("Skipping DNS packet we've already seen")
+				continue
+			} else {
+				seenDNSPackets[entry] = struct{}{}
+			}
+
+			entry.Timestamp = time.Now().UTC()
+			fmt.Print(outputJSON([]statEntry{entry}))
 		}
 	}
 }

counter_x86_bpfel.go

@@ -162,7 +162,7 @@ func main() {
 		log.Printf("Failed to create ringbuf reader for UDP packets: %v", err)
 	} else {
 		log.Printf("Created UDP packet ringbuf reader successfully")
-		go processUDPPackets(ctx, udpPktReader, dnsLookupMap, dnsLookupMapMutex)
+		go processUDPPackets(ctx, udpPktReader)
 		defer udpPktReader.Close()
 	}
 
@@ -181,15 +181,6 @@ func main() {
 			// Filter out entries we've already seen and enrich with DNS data
 			var newEntries []statEntry
 			for _, entry := range entries {
-				// Enrich entry with DNS hostname if available
-				if entry.Pid != 0 {
-					dnsLookupMapMutex.RLock()
-					if hostname, exists := dnsLookupMap[uint32(entry.Pid)]; exists {
-						entry.DNSQueryName = hostname
-					}
-					dnsLookupMapMutex.RUnlock()
-				}
-
 				// For --unique tracking (without timestamp)
 				uniqueKey := fmt.Sprintf("%s:%d->%s:%d:%s:%d:%s",
 					entry.SrcIP, entry.SrcPort, entry.DstIP, entry.DstPort,