ebpFilter

An eBPF-based DNS blocking tool for Linux that filters outgoing DNS queries at the kernel level. It provides a web UI for managing blocked domains dynamically.

Comment

Inspiration

I always wanted to try eBPF after my professor mentioned how it can safely change kernel behavior at runtime. It sounded exciting and very different from normal programming, so this hackathon felt like the perfect chance to finally build something with it.

What it does

  • Attaches an eBPF program using tc
  • Parses Ethernet, IP, UDP, and DNS headers
  • Reconstructs the domain name
  • Checks it against a blocklist
  • Drops or allows the packet
  • Blocklist can be updated from userspace

How I built it

Technologies: eBPF, ebpf-go, GoFiber (web UI)
Hookpoint: tcx/action
Map type: BPF_MAP_TYPE_HASH

The program inspects each packet and:

  • verifies the transport protocol is UDP
  • checks that the destination port is 53 (DNS)
  • parses the DNS query and compares it against keys stored in the eBPF map
  • drops matching packets by returning TCX_DROP

Challenges I ran into

The main difficulty was the verifier rejecting the program. Most time went into fixing pointer safety, limiting loops, and understanding why the verifier blocked certain code paths.

What I learned

  • eBPF needs strict bounds and checks
  • Small unsafe patterns can cause verifier failures
  • Debugging eBPF is very different from normal C

What's next for ebpFilter

  • Add statistics (packet counts, logs, metrics)
  • Maybe extend it into a simple firewall

Built With

  • bpftool
  • ebpf
  • ebpf-go
  • gofiber
Share this project:

Updates