Project 13: DNS Traffic Monitor (Protocol Parsing)

A DNS traffic monitor that parses DNS packets, extracts queries and responses, and provides visibility into DNS behavior—useful for security monitoring and debugging.

Quick Reference

Attribute Value
Primary Language C (libbpf)
Alternative Languages Go (cilium/ebpf), Rust (aya)
Difficulty Level 3: Advanced
Time Estimate 2 weeks
Knowledge Area Networking / Protocol Analysis
Tooling libbpf, XDP or TC
Prerequisites Projects 1-6 completed, basic DNS knowledge

What You Will Build

A DNS traffic monitor that parses DNS packets, extracts queries and responses, and provides visibility into DNS behavior—useful for security monitoring and debugging.

Why It Matters

This combines XDP/TC packet access with application-layer protocol parsing. You’ll learn to safely parse complex protocol structures in the constrained BPF environment.

Core Challenges

  • Parsing DNS packet format → maps to header, questions, answers sections
  • Extracting domain names → maps to label format, compression pointers
  • Handling various record types → maps to A, AAAA, CNAME, MX, TXT
  • Correlating queries and responses → maps to transaction ID tracking

Key Concepts

  • DNS Protocol: “TCP/IP Illustrated Volume 1” Chapter 14 - Stevens
  • DNS RFC: RFC 1035 (Domain Implementation)
  • Packet Parsing in BPF: Datadog eBPF Guide

Real-World Outcome

$ sudo ./dnsmon eth0
Monitoring DNS traffic on eth0...

TIME       TYPE  SRC              DST              QUERY                    RESP
───────────────────────────────────────────────────────────────────────────────────
14:23:01   Q     192.168.1.10     8.8.8.8          www.google.com          -
14:23:01   R     8.8.8.8          192.168.1.10     www.google.com          142.250.80.46
14:23:02   Q     192.168.1.10     8.8.8.8          api.github.com          -
14:23:02   R     8.8.8.8          192.168.1.10     api.github.com          140.82.113.5
14:23:05   Q     192.168.1.10     8.8.8.8          malware.bad.com         -
14:23:05   R     8.8.8.8          192.168.1.10     malware.bad.com         NXDOMAIN

[Queries: 1,234 | Responses: 1,230 | NXDOMAIN: 4]

Implementation Guide

  1. Reproduce the simplest happy-path scenario.
  2. Build the smallest working version of the core feature.
  3. Add input validation and error handling.
  4. Add instrumentation/logging to confirm behavior.
  5. Refactor into clean modules with tests.

Milestones

  • Milestone 1: Minimal working program that runs end-to-end.
  • Milestone 2: Correct outputs for typical inputs.
  • Milestone 3: Robust handling of edge cases.
  • Milestone 4: Clean structure and documented usage.

Validation Checklist

  • Output matches the real-world outcome example
  • Handles invalid inputs safely
  • Provides clear errors and exit codes
  • Repeatable results across runs

References

  • Main guide: LEARN_BPF_EBPF_LINUX.md
  • “BPF Performance Tools” by Brendan Gregg