Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 9. Network observability DNS resolution analysis
Learn how DNS resolution analysis uses eBPF-based decoding to identify service discovery issues and follow the steps to enable DNS tracking in the FlowCollector resource to enrich network flow records with domain names.
9.1. Strategic benefits of DNS resolution analysis
Use DNS resolution analysis to differentiate between network transport failures and service discovery issues by enriching eBPF flow records with domain names and status codes.
Standard flow logs only show that traffic occurred on port 53. DNS resolution analysis allows you to complete the following tasks:
-
Reduced Mean time to identify (Mtti): Distinguish immediately between a network routing failure and a DNS resolution failure, such as an
NXDOMAINerror. -
Measure internal service latency: Track the time it takes for CoreDNS to respond to specific internal lookups (e.g.,
my-service.namespace.svc.cluster.local). - Audit external dependencies: Audit which external APIs or third-party domains your workloads are communicating with without requiring sidecars or manual packet captures.
- Improved security posture: Detect potential data exfiltration or Command and Control (C2) activity by auditing the Fully Qualified Domain Names (FQDNs) queried by internal workloads.
9.1.1. DNS flow enrichment
When this feature is active, the eBPF agent enriches the flow records. This metadata allows you to group and filter traffic by the intent of the connection (the domain) rather than just the source IP.
Enhanced DNS decoding allows the eBPF agent to inspect UDP and TCP DNS traffic on port 53 along with the query names for the DNS request.
9.2. Configure DNS domain tracking for network observability
Enable DNS tracking in the Network Observability Operator to monitor DNS query names, response codes, and latency for network flows within the cluster.
Prerequisites
- The Network Observability Operator is installed.
-
You have
cluster-adminprivileges. -
You are familiar with the
FlowCollectorcustom resource.
Procedure
Edit the
FlowCollectorresource by running the following command:$ oc edit flowcollector clusterConfigure the eBPF agent to enable the DNS tracking feature:
apiVersion: flows.netobserv.io/v1alpha1 kind: FlowCollector metadata: name: cluster spec: agent: type: eBPF ebpf: features: - DNSTrackingwhere:
spec.agent.type.ebpf.features-
Specifies the list of features to enable for the eBPF agent. To enable DNS tracking, add
DNSTrackingto this list.
- Save and exit the editor.
Verification
-
In the OpenShift Container Platform web console, navigate to Observe
Network Traffic. - In the Traffic Flows view, click the Manage columns icon.
- Ensure that the DNS Query Name, DNS Response Code, and DNS Latency columns are selected.
-
Filter the results by setting Port to
53. - Confirm that the flow table columns are populated with domain names and DNS metadata.
9.3. DNS flow enrichment and analysis reference
Identify metadata added to network flows, leverage DNS data for network optimization, and understand the performance and storage impacts on the cluster.
The following table describes the metadata fields added to network flows when DNS tracking is enabled.
Query names might be missing or truncated because of compression pointers or cache limitations.
| Field | Description | Example |
|---|---|---|
|
| The Fully Qualified Domain Name (FQDN) being queried. |
|
|
| The status code returned by the DNS server. |
|
|
| The transaction ID used to match queries with responses. |
|
9.3.1. Leverage DNS data for network optimization
Use the captured DNS metadata for the following operational outcomes:
- Audit external dependencies: Ensure workloads are not reaching out to unauthorized external APIs or high-risk domains.
-
Performance tuning: Monitor
DNS Latencyto identify ifCoreDNSpods require additional scaling or if upstream DNS providers are lagging.
9.3.2. Identify misconfiguration errors
A high frequency of NXDOMAIN responses typically indicates service discovery errors in application code or stale environment variables.
NXDOMAIN errors can be frequent in Kubernetes because of DNS searches on services and pods. While these results do not necessarily indicate a misconfiguration or broken URL, they can negatively impact performance.
When NXDOMAIN errors are returned despite an apparently valid Service or Pod host name, such as my-svc.my-namespace.svc, the resolver is likely configured to query DNS for different suffixes. You can optimize this by adding a trailing dot to fully qualified domain names to tell the resolver that the name is unambiguous.
For example, instead of https://my-svc.my-namespace.svc, use https://my-svc.my-namespace.svc.cluster.local. with a trailing dot.
9.3.3. Loki storage considerations
DNS tracking increases the number of labels and the amount of metadata per flow. Ensure that the Loki storage is sized to accommodate the increased log volume.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}