1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
//! Passive DNS observer (UDP/53).
//!
//! Parses DNS query/response messages observed in UDP/53 traffic.
//! Two integration shapes:
//!
//! - [`DnsUdpObserver`] — callback-style tap that wraps an inner
//! [`FlowExtractor`](crate::FlowExtractor) and fires
//! [`DnsHandler`] events as a side effect of extraction.
//! - [`DnsUdpParser`] — typed message stream impl of
//! [`DatagramParser`](crate::DatagramParser). Pair with
//! `datagram_stream(...)` from `netring`.
//!
//! Both pair with the [`Correlator`] for query/response RTT
//! matching by 16-bit transaction ID, scoped per flow key.
//!
//! # Quick start (parser only)
//!
//! ```no_run
//! use flowscope::dns::{parse_message, DnsParseResult};
//!
//! let payload: &[u8] = b""; // your UDP/53 payload
//! match parse_message(payload) {
//! Ok(DnsParseResult::Query(q)) => println!("query: {} questions", q.questions.len()),
//! Ok(DnsParseResult::Response(r)) => println!("response: rcode={:?}", r.rcode),
//! Err(_e) => {} // malformed — ignore
//! }
//! ```
//!
//! # Scope
//!
//! - **UDP/53 only** in v0.1. TCP/53 (large responses, AXFR/IXFR)
//! and DoT (TLS/853) are deferred.
//! - **Passive** — no resolution, no validation.
//! - DNSSEC: RRSIG/DNSKEY surface as [`DnsRdata::Other`] with raw
//! rdata; we don't validate.
//! - **Common record types** decoded: A, AAAA, CNAME, NS, PTR, MX.
//! Everything else: `DnsRdata::Other { rtype, data }`.
pub use Correlator;
pub use ;
pub use DnsUdpObserver;
pub use ;
pub use DnsTcpParser;
pub use *;
/// Errors from the DNS module.