DNS-Sentinel

DNS Sentinel: An eBPF tool that visualizes DNS activity in real time and points out suspicious trafic.

Comment

Inspiration

This project arises from my deep curiosity, during the last few months I have developed a big interest in cybersecurity. All the scripts, all the tools and i have always wanted to develop something related. What truly inspired me was the idea of understanding what happens behind the scenes: how threats are detected, how traffic is analyzed, and how low-level systems actually work.

I remember scrolling through Devpost looking for a cool challenge when I stumbled on this hackathon. I did a little research, and it instantly grabbed my attention. eBPF, C, Linux, and kernels are really interesting topics, and I don’t have much experience with them. But, like a lot of fun stuff in life, it all started with a simple “why not?”

What it does

This program aims to access the DNS traffic on our computer to identify which interfaces are sending that traffic and which domains it is reaching. It also checks whether an interface is being overloaded with too many requests, which could indicate either a Denial-of-Service (DDoS) attack or that some malware is sending information to an unknown domain.

How we built it

I built this project by combining eBPF, XDP, C, and Python into a pipeline capable of capturing, processing, and displaying DNS activity in real time.

The core of the system is an eBPF program written in C, attached to the network interface using XDP. This program inspects DNS packets at a very early stage in the kernel and extracts key metadata such as the source IP, domain hash, and timestamps. To manage state across packets, I used several eBPF maps, including hash maps for counting DNS queries per IP and tracking recent domain hashes.

On the user-space side, I wrote a C application using libbpf to load and attach the eBPF program. This user-space program also reads all map data periodically, computes basic analytics (like QPS and risk scoring), and renders everything in a clean real-time terminal interface.

Additionally, I integrated a small Python script that passively captures DNS traffic and writes domain names to a shared file. A dedicated C thread continuously reads from this file and matches domains to their corresponding hashes, allowing the dashboard to display human-readable domain names whenever available.

The final result is a hybrid system where:

  • C + eBPF handle packet filtering and kernel-level metrics,

  • C (user space) handles visualization, logic, and map reading,

  • Python enriches the system by resolving domain names in the background.

  • Despite the complexity, the combination allowed me to build a functional real-time DNS monitoring tool from scratch.

Challenges we ran into

The problems and challenges started from the very beginning. I decided to develop this project in C to force myself to learn it, a language whose reputation for being “scary” I never truly believed until I used it. I faced compatibility issues with several packages, struggles with the language itself, compilation errors, and difficulties integrating a Python script. It was a full technological odyssey. Still, I’m a firm believer that sometimes; to truly learn, you have to step into the mud and push through until the end.

Accomplishments that we're proud of

For me, the biggest achievements in this project were:

  • Getting everything to compile — it was much harder than I expected.

  • Successfully intercepting and analyzing DNS traffic.

  • Learning the basics of eBPF and understanding how it works inside the kernel.

  • Improving my C programming skills through real practice.

  • Becoming more comfortable using the Linux terminal.

  • Applying low-level programming concepts in a real project.

  • Staying committed to the project even during the most difficult and frustrating moments.

These achievements may seem simple, but for me they represent real progress, both technically and personally.

What we learned

Throughout this project I learned a lot more than I expected. I discovered how eBPF works and why it’s such a powerful way to observe what happens inside the Linux kernel. I also learned how to write small programs in C that interact with kernel maps, and how strict and unforgiving the language can be—but also how fast and efficient it is when things finally work.

I learned how DNS traffic actually flows through the system, how to capture it, and how to process it safely. I also improved my skills using the Linux terminal, debugging tools, and compiling programs with multiple components.

Finally, I learned something more personal: that even as a beginner, I can build something real if I stay patient, keep trying, and don’t quit when things get complicated.

What's next for DNS-Sentinel

Rather than focusing only on extending this project, my main goal is to keep learning and improving in the technologies behind it. I’m currently enrolled in the Linux Foundation’s Introduction to Cilium course, which will help me understand eBPF and networking at a deeper level.

I also want to become more fluent and confident in C so I can write more efficient and reliable code. With this knowledge, I hope to revisit DNS-Sentinel in the future, refactor parts of it, and maybe scale it into a more advanced and more stable tool.

This project is just the beginning of my journey into low-level programming, networking, and eBPF.

Built With

Share this project:

Updates