in_ebpf: Implement dns trace

[cosmo0920]

In this PR, I implemented DNS query eBPF trace.

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change

sudo bin/fluent-bit -i ebpf -ptrace=trace_dns -o stdout -v

• Debug log output from testing the change

Fluent Bit v5.0.4
* Copyright (C) 2015-2026 The Fluent Bit Authors
* Fluent Bit is a CNCF graduated project under the Fluent organization
* https://fluentbit.io

______ _                  _    ______ _ _           _____  _____ 
|  ___| |                | |   | ___ (_) |         |  ___||  _  |
| |_  | |_   _  ___ _ __ | |_  | |_/ /_| |_  __   _|___ \ | |/' |
|  _| | | | | |/ _ \ '_ \| __| | ___ \ | __| \ \ / /   \ \|  /| |
| |   | | |_| |  __/ | | | |_  | |_/ / | |_   \ V //\__/ /\ |_/ /
\_|   |_|\__,_|\___|_| |_|\__| \____/|_|\__|   \_/ \____(_)\___/


[2026/04/22 13:08:57.904] [ info] Configuration:
[2026/04/22 13:08:57.925] [ info]  flush time     | 1.000000 seconds
[2026/04/22 13:08:57.930] [ info]  grace          | 5 seconds
[2026/04/22 13:08:57.931] [ info]  daemon         | 0
[2026/04/22 13:08:57.931] [ info] ___________
[2026/04/22 13:08:57.931] [ info]  inputs:
[2026/04/22 13:08:57.931] [ info]      ebpf
[2026/04/22 13:08:57.932] [ info] ___________
[2026/04/22 13:08:57.932] [ info]  filters:
[2026/04/22 13:08:57.932] [ info] ___________
[2026/04/22 13:08:57.932] [ info]  outputs:
[2026/04/22 13:08:57.932] [ info]      stdout.0
[2026/04/22 13:08:57.933] [ info] ___________
[2026/04/22 13:08:57.933] [ info]  collectors:
[2026/04/22 13:08:58.002] [ info] [fluent bit] version=5.0.4, commit=dfdc57cc69, pid=355581
[2026/04/22 13:08:58.011] [debug] [engine] coroutine stack size: 24576 bytes (24.0K)
[2026/04/22 13:08:58.016] [ info] [storage] ver=1.5.4, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2026/04/22 13:08:58.017] [ info] [simd    ] SSE2
[2026/04/22 13:08:58.017] [ info] [cmetrics] version=2.1.2
[2026/04/22 13:08:58.017] [ info] [ctraces ] version=0.7.1
[2026/04/22 13:08:58.033] [ info] [input:ebpf:ebpf.0] initializing
[2026/04/22 13:08:58.034] [ info] [input:ebpf:ebpf.0] storage_strategy='memory' (memory only)
[2026/04/22 13:08:58.035] [debug] [ebpf:ebpf.0] created event channels: read=21 write=22
[2026/04/22 13:08:58.036] [debug] [input:ebpf:ebpf.0] initializing eBPF input plugin
[2026/04/22 13:08:58.041] [debug] [input:ebpf:ebpf.0] processing trace: trace_dns
[2026/04/22 13:08:58.041] [debug] [input:ebpf:ebpf.0] setting up trace configuration for: trace_dns
[2026/04/22 13:09:03.453] [debug] [input:ebpf:ebpf.0] attaching BPF program for trace: trace_dns
[2026/04/22 13:09:03.463] [debug] [input:ebpf:ebpf.0] registering trace handler for: trace_dns
[2026/04/22 13:09:03.464] [trace] [input:ebpf:ebpf.0 at /home/cosmo/GitHub/fluent-bit/plugins/in_ebpf/in_ebpf.c:49] found BPF map: dns_connect_pending
[2026/04/22 13:09:03.464] [trace] [input:ebpf:ebpf.0 at /home/cosmo/GitHub/fluent-bit/plugins/in_ebpf/in_ebpf.c:49] found BPF map: dns_sockets
[2026/04/22 13:09:03.464] [trace] [input:ebpf:ebpf.0 at /home/cosmo/GitHub/fluent-bit/plugins/in_ebpf/in_ebpf.c:49] found BPF map: dns_queries
[2026/04/22 13:09:03.464] [trace] [input:ebpf:ebpf.0 at /home/cosmo/GitHub/fluent-bit/plugins/in_ebpf/in_ebpf.c:49] found BPF map: events
[2026/04/22 13:09:03.464] [trace] [input:ebpf:ebpf.0 at /home/cosmo/GitHub/fluent-bit/plugins/in_ebpf/in_ebpf.c:49] found BPF map: dns_recv
[2026/04/22 13:09:03.464] [trace] [input:ebpf:ebpf.0 at /home/cosmo/GitHub/fluent-bit/plugins/in_ebpf/in_ebpf.c:49] found BPF map: gadget_heap
[2026/04/22 13:09:03.464] [trace] [input:ebpf:ebpf.0 at /home/cosmo/GitHub/fluent-bit/plugins/in_ebpf/in_ebpf.c:49] found BPF map: gadget_mntns_filter_map
[2026/04/22 13:09:03.464] [trace] [input:ebpf:ebpf.0 at /home/cosmo/GitHub/fluent-bit/plugins/in_ebpf/in_ebpf.c:49] found BPF map: trace_dn.rodata
[2026/04/22 13:09:03.465] [trace] [input:ebpf:ebpf.0 at /home/cosmo/GitHub/fluent-bit/plugins/in_ebpf/in_ebpf.c:49] found BPF map: trace_dn.bss
[2026/04/22 13:09:03.468] [ info] [input:ebpf:ebpf.0] registered trace handler for: trace_dns
[2026/04/22 13:09:03.468] [ info] [input:ebpf:ebpf.0] trace configuration completed for: trace_dns
[2026/04/22 13:09:03.469] [debug] [input:ebpf:ebpf.0] setting up collector with poll interval: 1000 ms
[2026/04/22 13:09:03.471] [ info] [input:ebpf:ebpf.0] eBPF input plugin initialized successfully
[2026/04/22 13:09:03.475] [debug] [stdout:stdout.0] created event channels: read=49 write=50
[2026/04/22 13:09:03.512] [ info] [sp] stream processor started
[2026/04/22 13:09:03.514] [ info] [engine] Shutdown Grace Period=5, Shutdown Input Grace Period=2
[2026/04/22 13:09:03.520] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:03.527] [ info] [output:stdout:stdout.0] worker #0 started
[2026/04/22 13:09:03.664] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:03.924] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:03.936] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/04/22 13:09:03.937] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_dns
[2026/04/22 13:09:03.938] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_dns
[2026/04/22 13:09:03.939] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:04.164] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:04.414] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:04.664] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:04.914] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/04/22 13:09:04.915] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_dns
[2026/04/22 13:09:04.964] [trace] [input chunk] update output instances with new chunk size diff=186, records=1, input=ebpf.0
[2026/04/22 13:09:04.968] [trace] [input chunk] update output instances with new chunk size diff=190, records=1, input=ebpf.0
[2026/04/22 13:09:04.968] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_dns
[2026/04/22 13:09:04.968] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:05.164] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:05.414] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:05.414] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:05.664] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:05.923] [trace] [task 0x6653660] created (id=0)
[2026/04/22 13:09:05.929] [debug] [task] created task=0x6653660 id=0 OK
[2026/04/22 13:09:05.930] [debug] [output:stdout:stdout.0] task_id=0 assigned to thread #0
[0] ebpf.0: [[1776830944.927134652, {}], {"event_type"=>"dns", "pid"=>4719, "tid"=>343834, "comm"=>"DNS Res~ver #52", "query"=>"sync-1-us-west1-g.sync.services.mozilla.com", "query_type"=>1, "txid"=>11237, "response"=>0, "rcode"=>0, "latency_ns"=>0, "error_raw"=>0}]
[1] ebpf.0: [[1776830944.966563667, {}], {"event_type"=>"dns", "pid"=>4719, "tid"=>343834, "comm"=>"DNS Res~ver #52", "query"=>"sync-1-us-west1-g.sync.services.mozilla.com", "query_type"=>1, "txid"=>11237, "response"=>1, "rcode"=>0, "latency_ns"=>10443380, "error_raw"=>0}]
[2026/04/22 13:09:05.945] [debug] [out flush] cb_destroy coro_id=0
[2026/04/22 13:09:05.946] [trace] [coro] destroy coroutine=0x833dbf0 data=0x833dc10
[2026/04/22 13:09:05.946] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:05.931] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/04/22 13:09:05.946] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_dns
[2026/04/22 13:09:05.947] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_dns
[2026/04/22 13:09:05.948] [trace] [engine] [task event] task_id=0 out_id=0 return=OK
[2026/04/22 13:09:05.954] [debug] [task] destroy task=0x6653660 (task_id=0)
[2026/04/22 13:09:05.958] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:06.164] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:06.414] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:06.664] [trace] [sched] 0 timer coroutines destroyed
^C[2026/04/22 13:09:06] [engine] caught signal (SIGINT)
[2026/04/22 13:09:06.819] [trace] [engine] flush enqueued data
[2026/04/22 13:09:06.819] [ warn] [engine] service will shutdown in max 5 seconds
[2026/04/22 13:09:06.820] [ info] [engine] pausing all inputs..
[2026/04/22 13:09:06.821] [ info] [input] pausing ebpf.0
[2026/04/22 13:09:06.822] [debug] [input:ebpf:ebpf.0] collector paused
[2026/04/22 13:09:06.823] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:06.914] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:06.920] [ info] [engine] service has stopped (0 pending tasks)
[2026/04/22 13:09:06.920] [ info] [input] pausing ebpf.0
[2026/04/22 13:09:06.921] [debug] [input:ebpf:ebpf.0] collector paused
[2026/04/22 13:09:06.923] [ info] [output:stdout:stdout.0] thread worker #0 stopping...
[2026/04/22 13:09:06.923] [trace] [sched] 0 timer coroutines destroyed
[2026/04/22 13:09:06.930] [ info] [output:stdout:stdout.0] thread worker #0 stopped
[2026/04/22 13:09:07.144] [ info] [input:ebpf:ebpf.0] eBPF input plugin exited

• Attached Valgrind output that shows no leaks or memory corruption was found

==355581== 
==355581== HEAP SUMMARY:
==355581==     in use at exit: 0 bytes in 0 blocks
==355581==   total heap usage: 3,784 allocs, 3,784 frees, 17,106,722 bytes allocated
==355581== 
==355581== All heap blocks were freed -- no leaks are possible
==355581== 

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ade1f98b-2cfc-4444-850a-53c5c6843abd

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cosmo0920-implement-dns-trace

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}