pub fn parse_query(packet: &[u8]) -> Result<DnsQueryView, DnsParseError>Expand description
Parse the question section of a workload DNS query (single-question API).
Returns a DnsQueryView over the sole question on success, or a
DnsParseError describing why the packet is rejected.
HIGH-D1 hardened this entry point: any packet declaring QDCOUNT != 1
is now rejected with DnsParseError::QdcountZero (for QDCOUNT == 0)
or DnsParseError::QdcountUnsupported (for QDCOUNT > 1). The
previous behaviour — “parse FIRST question, leave trailing questions
to be forwarded verbatim” — created a policy-bypass / log-evasion
vector where a hostile guest could ride one allowlisted question on the
front of a multi-question packet and have the upstream resolver answer
the rest. RFC 1035 §4.1.2 permits QDCOUNT > 1 but every modern
recursive resolver (Unbound, Knot, BIND) services only the first
question on UDP, so refusing here costs nothing in real-world
compatibility while closing the bypass. Tools that legitimately need
to inspect every declared question (offline fixture inspection, etc.)
should reach for parse_query_multi instead.
On error, callers should drop the packet (no response) and emit a
dns_query event with reasonCode: malformed_query.